Skip to content
Search to learn about InterSystems products and solutions, career opportunities, and more.

Advisory: FREAK attack SSL/TLS Vulnerability

March 4, 2015 – Advisory: FREAK attack SSL/TLS Vulnerability

Yesterday an announcement was made of a new SSL/TLS vulnerability referred to as the “FREAK attack”.  The issue is that the key length of the cipher used to encrypt data can be shortened in export libraries, weakening the encryption.

More information can be found here:

https://freakattack.com/or

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204

This advisory applies to all currently released versions of InterSystems products that support SSL/TLS, including Caché, Ensemble, HealthShare and TrakCare.

By default a SSL/TLS configuration created in InterSystems products is not susceptible to this attack.  The default flags for the Cipher Suites include the element !EXP which prevents the shortening of the key length.  It is possible for an administrator to override this default.  As an example the default flags in Caché 2015.1 are:

TLSv1:SSLv3:!ADH:!LOW:!EXP:@STRENGTH

InterSystems recommends that the above default settings be reviewed for the existence of the !EXP element.  If it has been removed it should be re-added.  Customers should follow the recommendations of their OS vendors for obtaining corrections to this vulnerability.

If you have any questions regarding this advisory, please contact InterSystems Worldwide Response Center.

Sign Up Today

Receive notifications on support alerts, critical issues,
fixes, and product releases.
*Required Fields
Highlighted fields are required
*Required Fields
Highlighted fields are required
By submitting this form, you give consent to receive notifications concerning support alerts, critical issues, important updates, fixes, and product releases via email. In addition, you consent to your business contact information being entered into our CRM solution that is hosted in the United States, but maintained consistent with applicable data protection laws.
**By clicking here, you give consent to be contacted for news, updates and other marketing purposes related to existing and future InterSystems products, offerings, and events.