The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
1. Download the file (Proxy_x86_64_R5.22.openssl101m.patch.zip ) attached to this KB. Unzip the file. The unzipped file is an ISO that contains a script. The script detects App Proxy or Email Proxy installation, displays currently used versions of OpenSSL and the version to be applied, and prompts you to apply the patch.
2. After you extract the .iso file, mount the .iso on your app proxy, email proxy or secure proxy server.
3. Type the following command:
Note: Symantec Secure Proxy integrates it's own captive OpenSSL instance directly. Symantec Secure Proxy does not use or modify any other OpenSSL instances, including one that your operating system may use by default. The attached patch fixes Symantec Secure Proxy's captive OpenSSL instance. You may need to upgrade/patch your operating system separately.
Subscribing will provide email updates when this Article is updated. Login is required.