Rocket Business Connect

DROWN Attack / U2 advisory notice

On March 1st, when the news of the DROWN [Decrypting RSA with Obsolete and Weakened eNcryption] attack became public, we at Rocket Software took immediate action to review our product portfolio.

The Rocket® U2 security team conducted a thorough investigation and testing to determine the vulnerability of the product. Based on the known characteristics of the DROWN attack and test results, we determined that in order to maintain its security the U2 server must be configured according to the recommendations below. These recommendations are applicable to all current and previous U2 releases that support SSL. You can verify your configuration by confirming that the server's security context records (SCRs) are configured using SSLv3 or TLSv1 protocols (TLSv1.1 and TLSv1.2 protocols for Rocket UniVerse version 11.2.5 or any later version; or Rocket UniData® version 8.1.0 or any later version).

We recommend that all customers perform the following to ensure that the U2 server is configured as follows:

1. Make sure the server's SCRs are configured to use at least SSLv3, preferably TLSv1 (for older releases that do not support TLSv1.2). For UniVerse version 11.2.5 and later or UniData version 8.1.0 and later, the SCR should be configured to use TLSv1.2.
2. Make sure the server's certificate is not shared by any other SSLv2- enabled servers (including any non-U2 servers).
3. Specify the SCR's cipher suites as "RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW", which is a good practice that allows users to further restrict the cipher suites to only higher grade ones.

For more information about DROWN, see:

DROWN Attack

If you have further questions please contact Rocket Support.