Addressing the FREAK Vulnerability
What you need to know
The FREAK vulnerability allows an attacker with a privileged position on a network (e.g. “man-in-the-middle attacker”) to compromise the SSL/TLS handshake between the client and server. The attack forces the server to use a weak, export-grade cipher even if the client specifies a stronger cipher. Weak ciphers are more vulnerable to attack and brute-force decryption. Due to a bug in affected SSL/TLS libraries, the client accepts the export grade cipher and puts the encrypted transmission at risk of disclosure.
For more information about the FREAK vulnerability, see Matt Green’s post, who coordinated the widespread disclosure: http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html
What you need to do
The following Informatica products now have updated SSL/TLS libraries available, to address this vulnerability:
- Big Data Edition
- Data Explorer
- Data Quality
- Data Replication
- Data Services
- Native Adapters
- PowerCenter Express
- PowerExchange Mainframe and Changed-Data Capture
Because SSL/TLS vulnerabilities also affect underlying OSes (including Microsoft Windows and various Linux variants), we also recommend reviewing your OS patch levels and apply fixes as necessary.
If the number of critical vulnerabilities disclosed since late 2014 has reinforced anything it’s that teams need repeatable, efficient processes to evaluate and apply patches and product updates. This was also a point I made in my 2015 RSA Conference presentation, on building effective Information Security programs: being able to track “time to close critical vulnerabilities” is a great metric to help improve your teams’ security efficacy.
Bill Burns, VP & Chief Information Security Officer