OpenSSL recently released an advisory disclosing two new issues–along with an update on a previous issue–less than two months after its last release in early December. We would like to reassure our customers that NetScaler is unaffected by these vulnerabilities.
CVE-2016-0701 enables man-in-the-middle attacks against a vulnerable client or server that uses DH parameters based on unsafe primes as is the case with X9.42-style parameters. X9.42 support has been added only recently – OpenSSL 1.0.2 onwards. NetScaler does not make use of X9.42 and stands unaffected.
CVE-2015-3197 is a non-issue for the vast majority of NetScaler deployments. SSLv2 is not supported by NetScaler MPX-FIPS. On all other platforms, on currently supported releases, SSLv2 is disabled by default. However, if you are a customer that employs SSLv2, we recommend turning it off and switching to TLSv1.1 at a minimum.
When Logjam (CVE-2015-4000) was first disclosed, NetScaler future-proofed its SSL implementation to use 1024 bit DH parameters in negotiating TLS connections. NetScaler does not need to absorb the fix introduced by OpenSSL to make 1024 bit DH parameters the minimum-allowed length.