DROWN SSLv2 Vulnerability - March (2016)

Document created by chris_stevens Employee on Mar 25, 2016Last modified by mike_aronson on Mar 20, 2017
Version 2Show Document
  • View in full screen mode

In March 2016, we were made aware of a new vulnerability called DROWN, which stands for Decrypting RSA with Obsolete and Weakened eNcryption. This affects SSLv2 connections and those that use their private key on any other server that allows SSLv2 connections. This vulnerability is also known as CVE-2016-0800.


Is Boomi Affected?

No, none of Boomi servers have SSLv2 enabled, and we do not use our private key on any server that does.


Am I Affected?

That depends. If you are using a Windows OS and are using IIS 7.0 or IIS 7.5, SSLv2 is enabled by default. The OS' that use this are: Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2.


On any Operating System, you'll need to ensure that any SSLv2 is not enabled (and your private key is not used on any server using SSLv2), which can include (but not limited to) these types: web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS.


Additional Resources

Additional information can be found at the following links: