IBM Support

IBM HTTP Server is not affected by DROWN (CVE-2016-0800)

Flashes (Alerts)


Abstract

IBM HTTP Server is not affected by the DROWN: Decrypting RSA with Obsolete and Weakened eNcryption" vulnerability if you are on the latest releases and fixpack levels..

Content

The IBM HTTP Server is not affected by the DROWN: Decrypting RSA with Obsolete and Weakened eNcryption" vulnerability (CVE-2016-0800) if you are on the latest releases and fixpack levels and you have not re-enabled SSLv2.

Please verify that you are on a fix pack level where SSLv2 has been disabled as described in the following publication:
http://publib.boulder.ibm.com/httpserv/ihsdiag/ssl_questions.html#SSLPROTO

As a reminder SSLv3 has also been removed for the IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?uid=swg21687172
http://www-01.ibm.com/support/docview.wss?uid=swg21692502

IBM highly recommends against using SSLv2 or SSLv3 in any other hardware or software offerings as these old versions are no longer suitable to be used given the inherited weakness of these protocols.

Change History:

04 March 2016: original document published

[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5;8.5;7.0","Edition":""}]

Document Information

Modified date:
15 June 2018

UID

swg21978317