OpenSSL Security Advisory [05 Jun 2014] ? SSL/TLS MITM Vulnerability (CVE-2014-0224)

Document ID : KB000057303
Last Modified Date : 14/02/2018
Show Technical Document Details

Solution

We are reaching out to each of our customers as part of the CA Technologies Customer Care Program?to let you know of important announcements to the product and other related areas.

OpenSSL:?The Open Source toolkit for SSL/TLS

The OpenSSL Project has issued security advisory CVE-2014-0224 and recommends the following upgrades:
?

??? ?OpenSSL 0.9.8 should upgraded to 0.9.8za
??? ?OpenSSL 1.0.0 should upgraded to 1.0.0m
??? ?OpenSSL 1.0.1 should upgraded to 1.0.1e-16.el6_15.14

This vulnerability allows an attacker to use a carefully crafted handshake to force the use of a weak key between a client and server utilizing an SSL/TLS-secured communications channel.? If the attack is executed between a vulnerable client and vulnerable server then the weak key can be exploited by a man-in-the-middle attack. This type of attack can subject the client and server to a loss of confidentiality and integrity.

CA Technologies has been reviewing the vulnerability against the CA API Gateway product suite to understand the complete impact oft his issue. Findings suggest that the following components of the product leverage OpenSSL and may be vulnerable. Please note that the Gateway application itself is not vulnerable. The CA API Gateway suite of products use Java-based SSL/TLS providers--specifically SunJSSE and SSL-J) that are not impacted by the same defects and vulnerabilities of OpenSSL. The scope of this attack vector encompasses the Gateway appliance itself but not the Java-based components of the Gateway application. Components of the Gateway appliance that may be impacted (but is not limited to): The SSH server daemon (openssh-server), the SSH client applications (openssh-clients), MySQL (when using SSL/TLS) and the OpenSSL suite of tools and applications.

Please note that the Android and iOS mobile software development kits provided with the Mobile Access Gateway are not impacted by this vulnerability. These tool kits use OpenSSL for the cryptographic extensions for decryption and encryption and certificate validation. OpenSSL for the mobile SDKs does not rely on OpenSSL for SSL/TLS communications.

Affected Products and Versions

Below are the products and versions affected by this advisory.
?

Product(s): CA API?Gateway / Firewall / API Proxy / Mobile Access Gateway
Form Factor(s): All
Version(s): All (when certain Platform Updates have been deployed)

We highly recommend that the following Platform Security Update be installed against the Gateway appliance as applicable:

The installation and instructions and further details can be found in the release notes for this patch. These notes can be found here.

Product: CA API Developer Portal
Version(s): 2.5.2 and 2.6.0 (when certain Platform Updates have been deployed).


We highly recommend that the following Platform Security Update be installed against the Gateway appliance running the API Developer Portal as applicable:
?