is aware of the following SSLv2 DROWN vulnerability.
This vulnerability centers around the fact that attackers can force a web server to use an old, insecure version of SSL/TLS known as SSLv2. Although no longer used, SSLv2 is still supported by many web servers.
This is a vulnerability with the SSL protocol; existing SSL certificates are not affected and do not need to be replaced.
- Identify SSLv2 support using GeoTrust Installation Checker.
- You can refer to one of the following vendor links for assistance with remediation. If you need further assistance disabling SSLv2, please contact your server vendor.
- Microsoft - https://support.microsoft.com/en-us/kb/187498
- Apache - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol
- Postfix - https://drownattack.com/postfix.html
- Nginx - http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols
- OpenSSL - https://www.openssl.org/news/secadv/20160301.txt
- Network Security Services (NSS) - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/SSL_functions/sslfnc.html#1098841
For more information about DROWN vulnerability, visit Symantec's official blog.