The following Network Automation versions are affected by FREAK and LogJam vulnerability:
- NA 9.1x
- NA 9.20
- NA 9.21
Newer versions use a higher Java version and are not deemed to be affected by FREAK and LogJam (based upon the official definitions of these vulnerabilities).
FREAK and LogJam occur because export cyphers deemed to be of weak or medium security are available. This situation is commonly identified by a security scan.
The fix is to apply the latest version of the NA patch (or to upgrade to NA 10.xx) to upgrade the Java version used by NA. This Java version disables the use of export cyphers.
Additionally, for LogJam, there is a second issue regarding DH groups, sometimes referred to by web browsers as ephemeral keys. The result of this issue is the potential loss of web browser connectivity based upon the length of the available ephemeral keys. The official definition of LogJam specifies that keys of fewer than 512 bits are affected. Newer web browser versions require the use of 1024-bit epheremal keys.
For this second LogJam issue, see Method 2 in the specification for Mozilla Firefox (https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01733196).
As of this publication date, Microsoft Internet Explorer is not known to be impacted.