Dear CA Customer:
On Tuesday, March 03, 2015 a new SSL/TLS vulnerability was disclosed CVE-2015-0204. This exploit is commonly called FREAK (Factoring attack on RSA-EXPORT Keys). The vulnerability allows a ‘man in the middle’ attacker to downgrade connections from ‘strong’ RSA to ‘export’ grade RSA. The National Vulnerability Database gives this vulnerability a MEDIUM risk rating using the Common Vulnerability Scoring System (CVSS).
PRODUCT(S) AFFECTED: | RELEASES: |
CA Workload Control Center (WCC) | 11.1, 11.3, 11.3 SP1 |
UAJM Agent (via CAPKI if SSL Enabled) | 11.0 |
SystemAgent | 11.3.x |
IMPACT:
Some modern SSL/TLS clients, including OpenSSL have a flaw that can force them to accept export-grade RSA if the server supports export RSA. The vulnerability affects a variety of clients.
CAPKI (aka ETPKI), WCC 11.1 & 11.3 (Tomcats), UAJM 11.0 Agent and SystemAgent 11.3.x components are at risk.
CA Workload Automation iDash is unaffected. CA Workload Automation AE schedulers patched with CAPKI version 4.3.6 or later are not exposed.
RECOMMENDATION(S):
CAPKI
Version 4.3.6 of CAPKI has been fortified against the weak encryption vulnerability to prevent clients from being exposed. This vulnerability has been addressed starting with version 4.3.6 of CAPKI. CAPKI 4.3.6 is included with 11.3.6 SP1 and may be applied to all currently supported AE scheduler, client and agent hosts.
WCC (if SSL is enabled)
Versions 11.1 SP4, 11.3, 11.3 SP1 may protect affected clients against the FREAK vulnerability by executing the following:
- Disable SSLv3 as described in the SSLv3 POODLE Advisory
- Disable weak ciphers for each tomcat as described in WCC: Disable Weak Ciphers in SSL Mode document.
SystemAgent 11.3.x
If the SystemAgent is configured and being used as a FTP server it is potentially vulnerable to a small degree due to use of FTP over SSL (ftps). CA will address this in a future release.
Thank you,
CA Workload Automation Team