【HWS15-002】
|
|
Update: May 8,2015
SSL/TLS implementations 'FREAK' issue
1.Overview
Weakness (the problem that a weak cryptography is forced) to be caused by U.S. cryptography export regulation of the 1990s is found out and is reported to SSL/TLS protocol used for encryption of the Internet communication as FREAK.
In addition, for the attack, it becomes the premise that break-in of the third party to a communication path by the takeover of the DNS server or the camouflage of the Fixed Wireless Access point is possible. Therefore, I would like the use of the product on the reliable network.
Reference
SSL/TLS implementations accept export-grade RSA keys (FREAK attack)
http://www.kb.cert.org/vuls/id/243585
2.About workarounds of the FREAK weakness
It is necessary for the cryptography of the RSA key to export grade (RSA-EXPORT system) to become effective to do an attack using FREAK weakness. Therefore, from a list of available cryptographies, I can evade an attack with a cryptography of RSA-EXPORT origin in deletes or destroying it.
As for the product that a cryptography of those RSA-EXPORT origin becomes by default effective now and the product which the workarounds mentioned above cannot apply, following. I revise information at any time as soon as I can confirm it.
table 1 : Affected product
| No. |
Product name |
Correspondence |
Remarks |
| 1 |
uCosminexus Application Server |
【before 09-50】
Please appoint cryptography classification except the RSA-EXPORT system for cryptography classification to be available in TLS/SSL communication of the breakdown product Cosminexus Developer's Kit for JAVA (TM).
【before 08-70】
Please appoint cryptography classification except the RSA-EXPORT system for cryptography classification to be available in SSL communication of breakdown product Hitachi Web Server.
For details, please refer to our next software product security information.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS15-018/index.html
| List added March 20,2015
List updated May 8,2015 |
| 2 |
Hitachi Web Server
| 【before 04-20】
Please appoint cryptography classification except the RSA-EXPORT system for cryptography classification to be available in SSL communication of Hitachi Web Server.
For details, please refer to our next software product security information.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS15-018/index.html
| List added March 20,2015
List updated April 28,2015 |
| 3 |
JP1/Automatic Job Management System 3 - Web Operation Assistant |
Please refer to a product support window for the workaround.
| List added March 20,2015 |
| 4 |
JP1/Cm2/Network Node Manager i |
Version 09-50-01 - 09-50-02 applies.
In the case of an errand, please apply the latest patch of 09-50 with an applicable version.
| List added March 20,2015 |
| 5 |
Tape library device
L30A/L300
| Please cut it off from an external network.
| List added March 20,2015 |
| 6 |
Load balancer
AX2000/AX2000HL/
AX2500EL130
BIG-IP1500
| Please refer to a product support window for the workaround.
| List added March 20,2015 |
| 7 |
BS320 server blade L4 model
(load balancer blade)
| Please refer to a product support window for the workaround.
| List added March 20,2015 |
| 8 |
BladeSymphony
BS2500 series
1/10Gb LAN switch module program unit |
I enable VMready function (VMware cooperation function) and Version of VMware Host applies to a case of Version than 5.5 in front. (it has been taken measures in VMware 5.5)
Please do which next coping.
・I cut off the management network from an external network.
・I destroy VMready function.
| List added March 20,2015
List updated April 28,2015 |
| 9 |
Hitachi Virtual File
Platform、
Hitachi Data Ingestor
| In the case of a system configuration in connection with Hitachi Content Platform, I might be affected by the weakness through an external network.
For details about this information, contact your Hitachi support service representative.
| List added April 01,2015 |
| 10 |
HA8000 series
RS440xKxK1xLxL1xL2 model
| Please cut off the management network from an external network.
| List added April 09,2015 |
| 11 |
HA8000 series
RS440xM model
| Please cut off the management network from an external network. Please refer to a product support window for the measures time.
| List added April 28,2015 |
| 12 |
HA8500 series
SDE6, c3000/c7000
| Please cut off the management network of the connection from an external network in Onboard Administrator(OA).
| List added April 16,2015 |
3.About workarounds of OpenSSL weakness (CVE-2015-0204)
I am related to FREAK, and fragile (CVE-2015-0204) of OpenSSL is shown. The affected products are as follows.
I revise information at any time as soon as I can confirm it because I am investigating the product with the influence now.
table 2 : Affected product
| No. |
Product name |
Correspondence |
Remarks |
| 1 |
Red Hat
Enterprise Linux |
For details, Please refer to next Red Hat company public release information.
https://access.redhat.com/security/cve/CVE-2015-0204
|
List added March 09,2015 |
| 2 |
Hitachi Virtual File Platform、
Hitachi Data Ingestor |
In the case of a system configuration in connection with Hitachi Content Platform, I might be affected by the weakness through an external network.
For details about this information, contact your Hitachi support service representative. |
List added April 01,2015 |
| 3 |
uCosminexus Application Server |
For details, please refer to our next software product security information.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS15-019/index.html
| List added May 8,2015 |
4.About workarounds of Microsoft security information MS15-031
I am related to FREAK, and security information of fragile (CVE-2015-1637) is shown in the next URL by Microsoft.
In addition, the procedure to prevent all RSA key distribution cryptographies from being available as workarounds of the clients is shown, but the connection from IE to our product may become impossible and do not recommend the workarounds when I apply workarounds.
Microsoft security information MS15-031
https://technet.microsoft.com/en-us/library/security/ms15-031
5.Reference
For details about this information, contact your Hitachi support service representative.
|
|
Revision history
- May 8,2015 added a details to uCosminexus Application Server of the workarounds of the FREAK weakness.
I added uCosminexus Application Server to workarounds of OpenSSL weakness (CVE-2015-0204).
- April 28,2015 added the HA8000 series to workarounds of the FREAK weakness.
I updated the BladeSymphony BS2500 series, 1/10Gb LAN switch module program unit.
I added a details to Hitachi Web Server.
- April 16,2015 added the HA8500 series to workarounds of the FREAK weakness.
- April 09,2015 added the HA8000 series to workarounds of the FREAK weakness.
- April 01,2015 in workarounds of the FREAK weakness and workarounds of OpenSSL weakness (CVE-2015-0204)
I added Hitachi Virtual File Platform, Hitachi Data Ingestor.
- March 20,2015 added table 1 to workarounds of the FREAK weakness.
- March 11,2015 added it about workarounds of the FREAK weakness.
I changed a URL of Microsoft
- March 09,2015 This page is released.
- The Web pages include information about products that are developed by non-Hitachi software developers. Vulnerability information about those products is based on the information provided or disclosed by those developers. Although Hitachi is careful about the accuracy and completeness of this information, the contents of the Web pages may change depending on the changes made by the developers.
|
|
