Security advisory: CVE-2015-0204 (FREAK) SSL/TLS Vulnerability

This article is in response to CVE-2015-0204, known as the "FREAK" attack, announced March 4th, 2015. More details about the attack can be found at
We have done a comprehensive evaluation of Aspera products and have determined the following:

-- Our server products are not exposed. This includes Enterprise Server as well as our web servers:  Faspex, Shares, Console, Orchestrator and Connect Server.

--  Our client products are not exposed to this type of threat as long as our server's are properly protected. The freak attack is a "man-in-the-middle" attack that requires the server to be compromised. The client products include the desktop applications Drive, Connect, P2P, Desktop Client, Enterprise Server and Cargo and the mobile applications Faspex and Drive.

To protect your servers from this attack, ensure that you:

          (a) Do not front our apps with servers that are exposed.

          (b) Do not change our default configuration to add EXP_* ciphers.

-- We are upgrading all our client products to the latest security patches available in our next dot release. These will be rolled out in Q2 2015 and will eliminate the exposure on the client side.

-- For our mobile clients, which depend on the underlying SSL provided by the operating system, make sure to patch your operating systems as soon as the OS vendors publish an update.

Powered by Zendesk