How is Blackbaud NetCommunity impacted by the DROWN vulnerability?

In March 2016, the DROWN vulnerability was discovered. DROWN stands for Decrypting RSA with Obsolete and Weakened Encryption and affects HTTPS and other services that utilize SSL and SSLv2. 
 
The DROWN vulnerability is a cross-protocol security bug that attacks servers supporting modern TLS protocol suites by using their support for the obsolete, insecure, SSL v2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. DROWN can affect all types of servers that offer services encrypted with TLS yet still support SSLv2, provided they share the same public key credentials between the two protocols.

Disabling SSLv2 on the system that supports it is sufficient to prevent the DROWN attack. 

If you are hosted by Blackbaud:

SSLv2 is disabled on all hosted servers. We have disabled this protocol where it was present in our environment and continue our standard processes of reviewing our configurations for all exceptions or deviations to our preferred configurations.

If your organization hosts Blackbaud NetCommunity and/or The Raiser's Edge Web Services Server (or REWS):

System administrators should work directly with their security team and internal resources to address the DROWN vulnerability and to disable SSLv2 on the Blackbaud NetCommunity web server and/or REWS.
Note: Throughout this article, we have provided links to third-party websites. We provide links to third-party websites in an effort to help you resolve your issue. We are not responsible for the information on third-party websites, and we cannot assist in implementing the solutions on these websites.

Environment

 Blackbaud NetCommunity

Was this article helpful?