Environment
Situation
In May 2015, researchers announced weaknesses in Diffie-Hellman key exchange that is used in many encrypted connection protocols (CVE-2015-4000). This technical note provides information on affected products.
The Diffie-Hellman (DH) key exchange is a method of securely exchanging cryptographic keys over a public channel. This method is used by a number of encrypted connection protocols.
With TLS protocol version 1.2 and earlier, if the DHE_EXPORT ciphersuite is supported by the server, man-in-the-middle attackers can conduct cipher-downgrade attacks. The client can be forced to use a weaker ciphersuite, even though the client does not have it enabled.
Additionally, in any TLS or SSH connection with both server and client enabled to use weaker DH Groups for key exchange, an attacker can passively eavesdrop and decrypt sessions. Groups with 1024-bit length or less are considered vulnerable, which includes the 512-bit export DH.
Resolution
Product Information
Refer to the information below for your product(s). If your product is under investigation, check again later as this technical note will be updated when new information becomes available.
Product |
Security Updates |
Databridge |
Not affected |
Extra! |
See Security Alerts - Extra! |
FileXpress Gateway |
See Security Alerts - Reflection for Secure IT Gateway |
InfoConnect products |
See https://support.microfocus.com/security/ |
Reflection PKI Services Manager |
Not affected |
Reflection X Advantage |
See Security Alerts - Reflection X Advantage |
Reflection 2014 products |
See Security Alerts - Reflection Desktop |
Reflection 14.1 products |
See https://support.microfocus.com/security/ |
Reflection for Secure IT Client for Windows |
See https://support.microfocus.com/security/ |
Reflection for Secure IT Server for Windows |
See https://support.microfocus.com/security/ |
Reflection for Secure IT Client and Server for UNIX |
See https://support.microfocus.com/security/ |
Reflection for UNIX (iOS/Android) |
Under investigation |
Reflection for the Web 2014 products |
See https://support.microfocus.com/security/ |
Reflection Security Gateway 2014 |
See https://support.microfocus.com/security/ |
Reflection ZFE |
Not affected |
Verastream Host Integrator |
See https://support.microfocus.com/security/ |