Skip Ribbon Commands
Skip to main content
Navigate Up
Sign In

Quick Launch

Average Rating:

(3 Ratings)
facebook Twitter
Email
Print Bookmark Alert me when this article is updated

Feedback

HOW TO:  Protect your Informatica Domain from the  SSL/TLS Vulnerability (CVE-2015-0204)
Solution

Overview

 

The Factoring Attack on RSA-EXPORT Keys (FREAK) vulnerability affects the following Informatica products:


·         Big Data Edition

·         Data Explorer​

·         Data Quality

·         Data Replication

·         Data Services

·         Native Adapters

·         PowerCenter

·         PowerCenter Express

·         PowerExchange Mainframe and Changed-Data Capture


The FREAK vulnerability allows a man-in-the-middle attacker to compromise the SSL/TLS handshake between the client and server. The attack forces the server to use an export-grade cipher even if the client specifies a different cipher. Export-grade ciphers are a weaker form of encryption that can be decrypted. Due to a bug in the SSL/TLS library, the client accepts the export grade cipher. The attacker can decipher the encryption key and compromise the security of transmitted data.


The FREAK vulnerability can be exploited when the following conditions are true:

·         The server supports export grade RSA ciphers

·         The client uses a vulnerable SSL/TLS library


FREAK affects multiple SSL/TLS libraries, including the following libraries:

·         OpenSSL versions earlier than 1.0.1k

·         BoringSSL versions earlier than November 10, 2014

·         Secure Transport versions without OS X Security Update 2015-002, iOS 8.2, or AppleTV 7.1

·         Schannel versions without Microsoft Security Bulletin MS15-031


For more information about the FREAK vulnerability, see the following website from the French Institute for Research in Computer Science and Automation:

https://www.us-cert.gov/ncas/current-activity/2015/03/06/FREAK-SSLTLS-Vulnerability


To protect the Informatica domain from the FREAK vulnerability, perform the following tasks:

 

·         Apply the EBF to the Informatica domain

·         Disable RSA-EXPORT Keys for your browser

·         Disable RSA-EXPORT Keys for Database Connections


If the Informatica domain runs on version 9.6.1 HotFix 3 or later, you do not need to apply the EBF.
Note
 

Informatica does not recommend using SSL/TLS with application adapters.


Apply the EBF to the Informatica Domain 

To disable RSA-EXPORT keys, apply the EBF for your version of Informatica. The following table lists the EBF required for versions 9.6.1 HotFix 2:


Version

Operating System

EBF

9.6.1 HF2

AIX

EBF15419

9.6.1 HF2

Linux-x64

EBF15419

9.6.1 HF2

Windows  x64

EBF15419

9.6.1 HF2

Solaris sp-64

EBF15419


Note

 

After you apply the EBF, support for SSL certificates that use RSA encryption with 512 bits or less is disabled. You must replace any affected SSL certificates as well as related keystores and truststores with certificates that are supported.


If you are on an earlier version of Informatica 9.6.1, upgrade to the latest HotFix before you apply the EBF.


You must apply the EBF to all the nodes in the domain as well as to any machine that hosts the Informatica client.


For more information about how to apply the EBF, see the instructions packaged with the EBF.

Disable RSA-EXPORT Keys for Your Browser

 

Upgrade to the latest release of your browser.


Disable RSA-EXPORT Keys for Database Connections

Data Direct ODBC/JDBC Drivers

 

Data Direct recommends disabling the export ciphers. To disable the export ciphers, add the following text to the connection string:


CipherList=-RSA:-EXP

Note

 

Data Direct is working to confirm that disabling RSA ciphers will avoid the FREAK vulnerability. There may be additional changes required when specifying the CipherList property. There is also the possibility that restricting the cipher list on the client may not avoid the vulnerability.

 

Native Connectors

 

Informatica only certifies SSL/TLS connections to Oracle, DB2, and SQL Server databases.

For information about how to address the FREAK vulnerability for native connectors to a database, see the documentation for that database.

 

Application Adapters

 

No action required. Informatica does not recommend SSL/TLS connections for application adapters.

 
More Information
Reference
Applies To
Product: Data Quality; Universal Data Replication; PowerCenter; PowerExchange; Big Data Management
Problem Type:
User Type:
Project Phase: Configure
Product Version:
Database:
Operating System:
Other Software:
Attachments
Last Modified Date:12/16/2015 9:02 PMID:325261
People who viewed this also viewed

Feedback

Did this KB document help you?



What can we do to improve this information (2000 or fewer characters)