March 4, 2015 – Advisory: FREAK attack SSL/TLS Vulnerability
Yesterday an announcement was made of a new SSL/TLS vulnerability referred to as the “FREAK attack”. The issue is that the key length of the cipher used to encrypt data can be shortened in export libraries, weakening the encryption.
More information can be found here:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
This advisory applies to all currently released versions of InterSystems products that support SSL/TLS, including Caché, Ensemble, HealthShare and TrakCare.
By default a SSL/TLS configuration created in InterSystems products is not susceptible to this attack. The default flags for the Cipher Suites include the element !EXP which prevents the shortening of the key length. It is possible for an administrator to override this default. As an example the default flags in Caché 2015.1 are:
TLSv1:SSLv3:!ADH:!LOW:!EXP:@STRENGTH
InterSystems recommends that the above default settings be reviewed for the existence of the !EXP element. If it has been removed it should be re-added. Customers should follow the recommendations of their OS vendors for obtaining corrections to this vulnerability.
If you have any questions regarding this advisory, please contact InterSystems Worldwide Response Center.