DROWN Attack / U2 advisory notice
On March 1st, when the news of the DROWN [Decrypting RSA with Obsolete and Weakened eNcryption] attack became public, we at Rocket Software took immediate action to review our product portfolio.
The Rocket® U2 security team conducted a thorough investigation and testing to determine the vulnerability of the product. Based on the known characteristics of the DROWN attack and test results, we determined that in order to maintain its security the U2 server must be configured according to the recommendations below. These recommendations are applicable to all current and previous U2 releases that support SSL. You can verify your configuration by confirming that the server's security context records (SCRs) are configured using SSLv3 or TLSv1 protocols (TLSv1.1 and TLSv1.2 protocols for Rocket UniVerse version 11.2.5 or any later version; or Rocket UniData® version 8.1.0 or any later version).
We recommend that all customers perform the following to ensure that the U2 server is configured as follows: