You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Penubothu, Srinivasa M" <sr...@bankofamerica.com> on 2015/05/15 14:10:19 UTC
CVE-2015-0204 - FREAK vulnerability on tomcat 7.
Hello, I am looking for help with fixing FREAK vulnerability on tomcat 7. I am unable to find a solution for tomcat. Any help would be much appreciated.
Regards
Srinivasa(Vasu) Penubothu
----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
RE: CVE-2015-0204 - FREAK vulnerability on tomcat 7.
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Penubothu, Srinivasa M [mailto:srinivasa.penubothu@bankofamerica.com]
> Subject: RE: CVE-2015-0204 - FREAK vulnerability on tomcat 7.
> Title: SSL/TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
> CVE ID: CVE-2015-0204
That particular CVE number is only for the OpenSSL client side of the problem. Whether or not your server accepts RSA export keys is controlled by configuration, and is not officially a CVE item.
> Diagnosis: The remote SSL/TLS server accepts RSA_EXPORT cipher suites which is vulnerable
> to session downgrade vulnerability.
> Result: Exploitation allows an attacker to bypass security restrictions on the targeted host.
> Recommended Solution: Disable RSA_EXPORT cipher suites.
> Trying to find how to apply this fix in Tomcat 7. Appreciate your help!
Read this mailing list thread:
http://marc.info/?l=tomcat-user&m=142911397006702&w=2
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: CVE-2015-0204 - FREAK vulnerability on tomcat 7.
Posted by David kerber <dc...@verizon.net>.
On 5/15/2015 8:23 AM, Penubothu, Srinivasa M wrote:
> Here are the details of the vulnerability.
>
> Title: SSL/TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
> CVE ID: CVE-2015-0204
> Diagnosis: The remote SSL/TLS server accepts RSA_EXPORT cipher suites which is vulnerable to session downgrade vulnerability.
> Result: Exploitation allows an attacker to bypass security restrictions on the targeted host.
> Recommended Solution: Disable RSA_EXPORT cipher suites.
>
> Trying to find how to apply this fix in Tomcat 7. Appreciate your help!
Update to the latest JRE and TC versions.
>
>
> Regards
>
> Srinivasa(Vasu) Penubothu
>
> Mortgage Build & Deployment Team
> • MTGBDT SharePoint Site
> • MTGBDT Nexus Engagement Link
> Division: Mortgage Technology
> Phones: 469-201-8855(Work)
> 214-250-8424(Mobile)
> Email: srinivasa.penubothu@bankofamerica.com
>
>
> -----Original Message-----
> From: Neill Lima [mailto:neill.lima@visual-meta.com]
> Sent: Friday, May 15, 2015 7:15 AM
> To: Tomcat Users List
> Subject: Re: CVE-2015-0204 - FREAK vulnerability on tomcat 7.
>
> We would love to help but without the bare minimum description we are unable to do so.
>
> Sorry!
>
> On Fri, May 15, 2015 at 2:10 PM, Penubothu, Srinivasa M < srinivasa.penubothu@bankofamerica.com<ma...@bankofamerica.com>> wrote:
>
>> Hello, I am looking for help with fixing FREAK vulnerability on tomcat 7.
>> I am unable to find a solution for tomcat. Any help would be much
>> appreciated.
>>
>> Regards
>>
>> Srinivasa(Vasu) Penubothu
>>
>> ----------------------------------------------------------------------
>> This message, and any attachments, is for the intended recipient(s)
>> only, may contain information that is privileged, confidential and/or
>> proprietary and subject to important terms and conditions available at
>> http://www.bankofamerica.com/emaildisclaimer. If you are not the
>> intended recipient, please delete this message.
>>
>
>
> ----------------------------------------------------------------------
> This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: CVE-2015-0204 - FREAK vulnerability on tomcat 7.
Posted by "Penubothu, Srinivasa M" <sr...@bankofamerica.com>.
Here are the details of the vulnerability.
Title: SSL/TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
CVE ID: CVE-2015-0204
Diagnosis: The remote SSL/TLS server accepts RSA_EXPORT cipher suites which is vulnerable to session downgrade vulnerability.
Result: Exploitation allows an attacker to bypass security restrictions on the targeted host.
Recommended Solution: Disable RSA_EXPORT cipher suites.
Trying to find how to apply this fix in Tomcat 7. Appreciate your help!
Regards
Srinivasa(Vasu) Penubothu
Mortgage Build & Deployment Team
• MTGBDT SharePoint Site
• MTGBDT Nexus Engagement Link
Division: Mortgage Technology
Phones: 469-201-8855(Work)
214-250-8424(Mobile)
Email: srinivasa.penubothu@bankofamerica.com
-----Original Message-----
From: Neill Lima [mailto:neill.lima@visual-meta.com]
Sent: Friday, May 15, 2015 7:15 AM
To: Tomcat Users List
Subject: Re: CVE-2015-0204 - FREAK vulnerability on tomcat 7.
We would love to help but without the bare minimum description we are unable to do so.
Sorry!
On Fri, May 15, 2015 at 2:10 PM, Penubothu, Srinivasa M < srinivasa.penubothu@bankofamerica.com<ma...@bankofamerica.com>> wrote:
> Hello, I am looking for help with fixing FREAK vulnerability on tomcat 7.
> I am unable to find a solution for tomcat. Any help would be much
> appreciated.
>
> Regards
>
> Srinivasa(Vasu) Penubothu
>
> ----------------------------------------------------------------------
> This message, and any attachments, is for the intended recipient(s)
> only, may contain information that is privileged, confidential and/or
> proprietary and subject to important terms and conditions available at
> http://www.bankofamerica.com/emaildisclaimer. If you are not the
> intended recipient, please delete this message.
>
----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
Re: CVE-2015-0204 - FREAK vulnerability on tomcat 7.
Posted by Neill Lima <ne...@visual-meta.com>.
We would love to help but without the bare minimum description we are
unable to do so.
Sorry!
On Fri, May 15, 2015 at 2:10 PM, Penubothu, Srinivasa M <
srinivasa.penubothu@bankofamerica.com> wrote:
> Hello, I am looking for help with fixing FREAK vulnerability on tomcat 7.
> I am unable to find a solution for tomcat. Any help would be much
> appreciated.
>
> Regards
>
> Srinivasa(Vasu) Penubothu
>
> ----------------------------------------------------------------------
> This message, and any attachments, is for the intended recipient(s) only,
> may contain information that is privileged, confidential and/or proprietary
> and subject to important terms and conditions available at
> http://www.bankofamerica.com/emaildisclaimer. If you are not the
> intended recipient, please delete this message.
>