Flashes (Alerts)
Abstract
IBM HTTP Server is not affected by the DROWN: Decrypting RSA with Obsolete and Weakened eNcryption" vulnerability if you are on the latest releases and fixpack levels..
Content
The IBM HTTP Server is not affected by the DROWN: Decrypting RSA with Obsolete and Weakened eNcryption" vulnerability (CVE-2016-0800) if you are on the latest releases and fixpack levels and you have not re-enabled SSLv2.
Please verify that you are on a fix pack level where SSLv2 has been disabled as described in the following publication:
http://publib.boulder.ibm.com/httpserv/ihsdiag/ssl_questions.html#SSLPROTO
As a reminder SSLv3 has also been removed for the IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?uid=swg21687172
http://www-01.ibm.com/support/docview.wss?uid=swg21692502
IBM highly recommends against using SSLv2 or SSLv3 in any other hardware or software offerings as these old versions are no longer suitable to be used given the inherited weakness of these protocols.
Change History:
04 March 2016: original document published
Was this topic helpful?
Document Information
Modified date:
25 September 2022
UID
swg21978317