CM: CVE-2013-2566 TLS/SSL Server Supports RC4 Cipher Algorithms

Doc ID		SOLN279805
Version:		5.0
Status:		Published
Published date:		25 Apr 2017
Created Date:		01 Dec 2015

Author:

Gina Reda

Details

CM 6.x

Problem Clarification

CVE-2013-2566 TLS/SSL Server Supports RC4 Cipher Algorithms

The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.

If the RC4 protocol has a design flaw, can it be disabled and use another protocol?

Cause

Security Vulnerability.

Solution

Feedback from PSST CPE

CVE-2013-2566, from Red Hat:

This flaw is related to the design of the RC4 protocol and not its implementation. More details and a possible work around is mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=921947#c8. Therefore there are no plans to correct this issue in Red Hat Enterprise Linux 5 and 6.

A workaround suggests demoting RC4 ciphers, however CM already does this by choosing the strongest ciphers first.

Additional Relevant Phrases

Security Vulnerability CM 6.x

Avaya -- Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy