CVE-2015-0204

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k openssl-1.0.1e openssl-devel-1.0.1e openssl-static-1.0.1e openssl-libs-1.0.1e openssl-debuginfo-1.0.1e

Description The issue allows remote SSL servers to conduct RSA-to-EXPORT RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. This can lead to a denial of service condition or allow an attacker to gain access to sensitive data. The vulnerability can be exploited remotely.

Recommendations For versions prior to 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k, update to a version that includes the fix for this issue. For openssl-1.0.1e, openssl-devel-1.0.1e, openssl-static-1.0.1e, openssl-libs-1.0.1e, and openssl-debuginfo-1.0.1e, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling the ssl3 get key exchange function until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation.