OpenSSL Information for VU#583776

Network traffic encrypted using RSA-based SSL certificates over SSLv2 may be decrypted by the DROWN attack

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

OpenSSL 1.0.2g and 1.0.1s have been released to address this vulnerability. Please see OpenSSL's security advisory at the URL below.

A 3rd-party tool http://testssl.sh/ is available to check for security issues, including this one.

Another option for network administrators to determine if a server supports SSLv2 is to use the following command:

openssl s_client -connect host:443 -ssl2

If certificate information is returned, then SSLv2 is supported. It has been reported that this command may not work on Ubuntu or Debian systems.

Vendor References

https://www.openssl.org/news/secadv/20160301.txt

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.