Dear CA Customer:
On Tuesday, March 03, 2015 a new SSL/TLS vulnerability was disclosed CVE-2015-0204. This exploit is commonly called FREAK (Factoring attack on RSA-EXPORT Keys). The vulnerability allows a ‘man in the middle’ attacker to downgrade connections from ‘strong’ RSA to ‘export’ grade RSA. The National Vulnerability Database gives this vulnerability a MEDIUM risk rating using the Common Vulnerability Scoring System (CVSS).
PRODUCT(S) AFFECTED:
RELEASES:
SystemAgent
11.3.x
IMPACT:
Some modern SSL/TLS clients, including OpenSSL have a flaw that can force them to accept export-grade RSA if the server supports export RSA. The vulnerability affects a variety of clients.
CA Workload Automation DE schedulers are not exposed.
RECOMMENDATION(S):
SystemAgent 11.3.x
If the SystemAgent is configured and being used as a FTP server it is potentially vulnerable to a small degree due to use of FTP over SSL (ftps). CA will address this in a future release.
Thank you,
CA Workload Automation Team