KB Article #176927

VA and the FREAK SSL Issues (CVE-2015-0204 & CVE-2015-0205)

Problem

* Is VA vulnerable to the FREAK SSL issues?

Resolution

-- VA uses OpenSSL for SSL communications and there are two CVEs, CVE-2015-0204 & CVE-2015-0205, listed in the FREAK advisory for OpenSSL. These CVEs were originally disclosed in the 08 JAN 2015 OpenSSL advisory, for which we released updates back in January.

VA 4.12.0 SP3, 4.11.1 SP7 P6 and 4.11.2 SP5 include OpenSSL 1.0.0p while VA 4.10.6 SP14 includes OpenSSL 0.9.8zd, none of which are vulnerable to FREAK. Releases prior to this used a vulnerable version of OpenSSL and should be updated accordingly.