#DEPRECATED
#REFRESH 10 https://ubuntu.com/security/vulnerabilities/logjam

## page was copied from SecurityTeam/KnowledgeBase/MediaCoverageTemplate
## eg '== GNU C Library buffer overflow in __nss_hostname_digits_dots() (CVE-2015-0235 aka GHOST) =='
== Protocol flaws and new cryptanalysis in public key cryptography (CVE-2015-4000 aka LogJam) ==

## Description. Should contain a high level description and optional low level description along with how the vulnerability can be exploited and the result of exploitation

The Ubuntu Security Team is aware of the recent [[https://weakdh.org/imperfect-forward-secrecy.pdf|paper]] that has raised issues about the safety of the Diffie-Hellman key negotiation protocol. The authors raise multiple points:
 1. Many systems are still configured to allow use of "export-grade" ciphers, such as 512-bit Diffie-Hellman groups. A machine-in-the-middle attack could use a design flaw in the TLS protocol to downgrade connections to "export-grade" levels. This issue was assigned [[http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4000.html|CVE-2015-4000]].
  * Researchers have demonstrated a successful attack against a 512-bit Diffie-Hellman shared parameter.
 1. Diffie-Hellman implementations often use standardized or commonly-used shared parameters. This use was considered safe until this paper, as the cost of breaking the cipher suite is expensive. However, this paper demonstrates a way to build a database of information for a given set of parameters that allows passive eavesdroppers to quickly and cheaply derive the negotiated keys for any specific connection. Amortizing the cost of computing the database across millions of potential targets makes this attack relatively affordable.
  * It is suspected that researchers could perform these attacks against 768-bit shared parameters and that nation-state actors have the resources and abilities to perform these attacks against popularly-deployed 1024-bit shared parameters.
  * Use of hard-coded parameters is so ubiquitous that a solution will necessarily be long-term.

=== Expected responses of upstream projects ===
A complete response to the issues raised here will require a gradual transition of protocols, services, and configurations:

 * The OpenSSL project has [[https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/|dropped]] support for export-grade cipher suites.

 * The NSS project [[https://bugzil.la/1138554|has plans to drop]] support for export-grade cipher suites.

Other toolkits will probably also drop support for export-grade cipher suites.

 * The OpenSSL project has [[https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/|announced a plan]] to phase out support for 768 bit Diffie-Hellman parameters in future releases.

 * The NSS project has [[https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24|a plan to stop supporting]] 512 and 768 bit Diffie-Hellman parameters in future releases.

Other cryptographic toolkits will probably also phase out support for small parameters soon.

 * Future versions of OpenJDK may allow Diffie-Hellman parameters larger than 1024 bits.

 * Services and protocols that have hard-coded Diffie-Hellman parameters may be updated to either generate or negotiate parameters or allow specifying parameters at runtime.

=== Ubuntu's Response ===
The response to Logjam in Ubuntu is under review. This page will be updated as decisions are made. The following actions have already been taken:

 * Export-grade cipher suites have been disabled in OpenSSL for all supported Ubuntu releases. See [[http://www.ubuntu.com/usn/usn-2624-1/|USN-2624-1]] for more information.
 * Added support for ECC keys and ECDH ciphers to Apache in 12.04 LTS. See [[http://www.ubuntu.com/usn/usn-2625-1/|USN-2625-1]] for more information.

=== Mitigation ===
System administrators can react immediately:

 * Disable support for export-strength cryptosystems in all services.

 * Generating site-local Diffie-Hellman parameters. There is currently no need to generate these parameters afresh for every service in an organization; the most important part is to no longer use popular Diffie-Hellman parameters.

Instructions on these steps for popular services such as Apache, nginx, Lighttpd, Tomcat, Postfix, Sendmail, Dovecot, and HAProxy have been published on the official [[https://weakdh.org/sysadmin.html|Logjam site]]. '''Note:''' Some of the instructions may rely on features added in newer versions of the software than packaged for Ubuntu; we may backport patches to enable using different Diffie-Hellman parameters.

Typical Ubuntu users will see most benefit from installing package updates
as they are released. Updated browsers may cause some websites to be
unavailable until affected websites start supporting stronger cipher suites.

=== More information ===
 * Logjam paper: https://weakdh.org/imperfect-forward-secrecy.pdf
 * Mitigations: https://weakdh.org/sysadmin.html
 * CVE-2015-4000 in the Ubuntu CVE Tracker: http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-4000.html
 * OpenSSL response: https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
 * NSS response: https://bugzil.la/1138554
 * strongSwan IKEv2 cipher suites: https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
 * OpenSSH hardening: https://stribika.github.io/2015/01/04/secure-secure-shell.html


## Versions section should include:
## - version fixed in upstream
## - version first introduced in upstream (if applicable)
## - version fixed in Ubuntu
## - reference to the USN
## This issue was fixed in <UPSTREAM NAME> in <UPSTREAM VERSION>. Ubuntu <LIST OF UBUNTU VERSIONS> were affected. To address the issue, ensure that [[https://launchpad.net/ubuntu/+source/<source>/<version>|<source> <version>]] (Ubuntu <UBUNTU RELEASE>)... is/are installed. These updates were announced in [[http://www.ubuntu.com/usn/<USN>|USN XXX-N]].

## Timeline. Should include at a minimum:
## - when Ubuntu was notified
## - when USN was issued

==== Timeline ====
 * 2015 May 20: Wide public disclosure via https://weakdh.org/ -- the first Ubuntu learned of the issue
 * 2015 Jun 01: Ubuntu publishes OpenSSL updates ([[http://www.ubuntu.com/usn/usn-2624-1/|USN-2624-1]]) to disable export-grade cipher suites
 * 2015 Jun 02: Apache update for Ubuntu 12.04 LTS ([[http://www.ubuntu.com/usn/usn-2625-1/|USN-2625-1]]) provided to add support for ECC keys and ECDH ciphers
 * 2015 Jun 11: Ubuntu publishes OpenSSL updates ([[http://www.ubuntu.com/usn/usn-2639-1/|USN-2639-1]]) to require minimum 768 bit Diffie-Hellman parameters
 * 2015 Jul 09: Ubuntu publishes NSS updates ([[http://www.ubuntu.com/usn/usn-2672-1/|USN-2672-1]]) to require minimum 768 bit Diffie-Hellman parameters
 * 2015 Jul 30: Ubuntu publishes OpenJDK 7 updates ([[http://www.ubuntu.com/usn/usn-2696-1/ | USN-2696-1]]) to require minimum 768 bit Diffie-Hellman parameters by default
## * YYYY MMM DD: <UPDATED UBUNTU DEBS BECAME AVAILABLE>
## * YYYY MMM DD: <UPDATED UBUNTU CLOUD IMAGES BECAME AVAILABLE>

## <INCLUDE THIS SECTION IF NEW PUBLIC RELEASES FOR CLOUD IMAGES ARE NEEDED>
## ==== Public Cloud Image updates ====
##  * Amazon AWS: <IN PROGRESS>
##  * Windows Azure: <IN PROGRESS>
##  * Google Compute Engine:  <IN PROGRESS>
##  * Ubuntu Core Images: <IN PROGRESS>

## Cloud Images dailies will start appearing within 4 hours of the USN announcement. At the direction of the security team, the Cloud Image Team will start manually releasing new images to the public cloud. 

----
CategoryTemplate