Addressing the FREAK Vulnerability

After a careful review by Informatica’s product development teams, patches to mitigate the FREAK SSL/TLS vulnerability (CVE-2015-0204) are now available from our support website.

What you need to know

The FREAK vulnerability allows an attacker with a privileged position on a network (e.g. “man-in-the-middle attacker”) to compromise the SSL/TLS handshake between the client and server. The attack forces the server to use a weak, export-grade cipher even if the client specifies a stronger cipher. Weak ciphers are more vulnerable to attack and brute-force decryption.  Due to a bug in affected SSL/TLS libraries, the client accepts the export grade cipher and puts the encrypted transmission at risk of disclosure.

For more information about the FREAK vulnerability, see Matt Green’s post, who coordinated the widespread disclosure:

What you need to do

The following Informatica products now have updated SSL/TLS libraries available, to address this vulnerability:

  • Big Data Edition
  • Data Explorer
  • Data Quality
  • Data Replication
  • Data Services
  • Native Adapters
  • PowerCenter
  • PowerCenter Express
  • PowerExchange Mainframe and Changed-Data Capture

Customers should log into their MySupport account and then click this KnowledgeBase article. They should then apply the appropriate patch for their product.

Because SSL/TLS vulnerabilities also affect underlying OSes (including Microsoft Windows and various Linux variants), we also recommend reviewing your OS patch levels and apply fixes as necessary.

If the number of critical vulnerabilities disclosed since late 2014 has reinforced anything it’s that teams need repeatable, efficient processes to evaluate and apply patches and product updates. This was also a point I made in my 2015 RSA Conference presentation, on building effective Information Security programs: being able to track “time to close critical vulnerabilities” is a great metric to help improve your teams’ security efficacy.

Stay Safe!

Bill Burns, VP & Chief Information Security Officer