> From: Penubothu, Srinivasa M [mailto:srinivasa.penubo...@bankofamerica.com] > Subject: RE: CVE-2015-0204 - FREAK vulnerability on tomcat 7.
> Title: SSL/TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK) > CVE ID: CVE-2015-0204 That particular CVE number is only for the OpenSSL client side of the problem. Whether or not your server accepts RSA export keys is controlled by configuration, and is not officially a CVE item. > Diagnosis: The remote SSL/TLS server accepts RSA_EXPORT cipher suites which > is vulnerable > to session downgrade vulnerability. > Result: Exploitation allows an attacker to bypass security restrictions on > the targeted host. > Recommended Solution: Disable RSA_EXPORT cipher suites. > Trying to find how to apply this fix in Tomcat 7. Appreciate your help! Read this mailing list thread: http://marc.info/?l=tomcat-user&m=142911397006702&w=2 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
