What is “DROWN”?
“DROWN” is an acronym that stands for “Decrypting RSA using Obsolete and Weakened eNcryption”. Also known as CVE-2016-0800.
Is my system vulnerable?
Due to the wide-spread usage of SSLv2, across the Internet, the DROWN vulnerability can impact a large number of servers. If you’re server uses both TLS and SSLv2, it may be vulnerable.
How do I fix this vulnerability?
This vulnerability can be avoided by disabling the SSLv2 protocol in all of the SSL/TLS servers.
SUSE has release a patch that will disable SSLv2 protocol altogether, by default, as well as disabling all EXPORT ciphers — thus securing the vulnerability. The patch also checks environment variables to allow customers to unbreak applications that need SSLv2.
Those patches are available for the following systems:
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 12 Service Pack 1
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 LTSS (SLES 11 SP3 LTSS)
SUSE Linux Enterprise Server 11 Service Pack 2 LTSS (SLES 11 SP2 LTSS)