Reference Name: FREAK and SKIP TLS Vulnerabilities (related to OpenSSL)
Status: Resolved, Fixes are available
- 5-4-2016 – Updated
- 3-4-2015 – Initial acknowledgement
The FREAK and SKIP vulnerabilities are medium severity security issues that address "Broken or Risky Cryptographic Algorithms – CWE 327". For more information see the OpenSSL Security Advisory (19 Mar 2015).
FREAK: OpenSSL versions before 1.0.1k are vulnerable, as described in CVE-2015-0204.
SKIP-TLS: Errors potentially allow malicious attackers to perform Man-in-the-middle attacks and take advantage of issues as described in CVE-2014-6593. The January 2015 critical update for Java prevents the attack.
May 4, 2016
Hot fixes are available for SAS 9.4, SAS 9.3 and SAS 9.2 releases. Customers should review SAS Note 55767, and access the Hot Fix tab to download and apply the appropriate fixes.
Customers should also ensure that they have updated the SAS PRIVATE JRE on SAS 9.4 systems, and the general JRE on earlier SAS versions. See SAS Note 56203 for information about downloading and applying updated versions of Java 7 JRE.