SECURITY UPDATE |  |
| Release Date: | 2016-03-07 |
| Description: | SSLv2 DROWN Attack |
| Criticality Level: | High |
| Impact: | Potential Exposure of Sensitive Data |
| Systems Affected: | Potential impact includes all platforms/sites protected by HTTPS |
| Solution Status: | Closed/Resolved |
| Discovered By: | Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt |
| Relevant Changesets: | None |
Summary:
Recently, a new SSL vulnerability was discovered by a group of security researchers. The vulnerability has been given the name "DROWN", which is an acronym for "Decrypting RSA with Obsolete and Weakened eNcryption." The gist of the vulnerability is if a site is configured to support SSLv2, which is a deprecated version of the SSL (Secure Socket Layer) protocol, the encryption can be compromised by a third party.
Status:
Instructure operations has concluded that only one of its sites/services, an internal QA tool, was configured with the deprecated version of the SSL protocol. The potentially vulnerable site has since been reconfigured to disable SSLv2 and all associated cyphers.
Because of strict network isolation between pre-production and production environment, the risk to production environments was mitigated.
Further Information:
https://www.openssl.org/news/secadv/20160301.txt
https://drownattack.com/drown-attack-paper.pdf
