Earlier this week, security researchers announced the vulnerability CVE-2015-4000, dubbed “Logjam” that is similar to the FREAK vulnerability published a couple of months ago. When a browser and a server are establishing a secure connection using the DHE protocol, if exploited, this vulnerability could allow an attacker to downgrade the strength of that connection and thus break the integrity of the transmission.
In order to help defend against this vulnerability, users should update their browsers to the latest version, although as of this writing, some of the major browsers are still working on a patch for Logjam. Patches for all major browsers should be available shortly, so you should keep monitoring availability.
On the server side, some of the ways of defending against this is by disabling export cipher suites, using Elliptic Curve DHE (ECDHE) protocol instead of DHE, and by using 2048-bit key sizes for DHE. OneLogin does not have export cipher suites enabled, and this is why FREAK was not an issue earlier this year.
In terms of protocol support, OneLogin supports both ECDHE and DHE, with ECDHE being the preferred protocol used by our servers. We are currently working on upgrading DHE as part of other server updates we are making that will be communicated to account admins with sufficient lead time to minimize the impact it may have on end users.
If you are interested in learning more about Logjam, Matthew Green, one of the researchers involved in discovering the vulnerability, has written a good post summarizing the vulnerability.
For any security concerns related to this security advisory, please contact firstname.lastname@example.org.