In January 2015, Red Hat Product Security addressed the CVE-2015-0204 vulnerability in OpenSSL with this advisory: RHSA-2015-0066. The vulnerability was rated as
having a Moderate impact. This vulnerability is now being referred to as FREAK in the press.

Background Information

OpenSSL clients accepted EXPORT-grade (insecure) keys even when the client had not initially asked for them. This could be exploited using a man-in-the-middle attack,
which would intercept the client's initial request for a standard key and ask the server for an EXPORT-grade key. The client would then accept the weak key, allowing
the attacker to factor it and decrypt communication between the client and the server.

Impact

While the use of EXPORT-grade ciphers is disabled by default in OpenSSL shipped with the latest versions of Red Hat Enterprise Linux (6.6 and 7.0), it can be enabled
by applications that utilize the OpenSSL library. For this reason, the vulnerability is considered to affect all Red Hat Enterprise Linux 6 and 7 systems, including
the Server, Workstation, Desktop, and HPC Node variants, that have not installed the fixed version of OpenSSL packages.

The version of OpenSSL shipped with Red Hat Enterprise Linux 5 is also affected. As Red Hat Enterprise Linux 5 is now in the Production 3 phase of the support and
maintenance life cycle, during which only Critical security advisories are provided, this issue is currently not planned to be addressed in future updates.

Resolution

To eliminate the possibility of exploitation, install the updated OpenSSL packages that have been made available through this advisory: RHSA-2015-0066.

To install the updates, use the yum package manager as follows:

yum update

To only update the OpenSSL package and its dependencies, use:

yum update openssl

We have deployed updates to all servers which has ntServerGuard installed. Servers without ntServerGuard are being patched/updated manually.

You can check the freak vulnerability using the following link "http://www.nagios.com/freak-vulnerability-tester"

If you find your server still has this vulnerability, please feel free to contact our support ASAP.