ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

List of vulnerabilities for DevTest services

book

Article ID: 111791

calendar_today

Updated On:

Products

CA Application Test Service Virtualization

Issue/Introduction

As part of security verification devtest instances  were scanned  for any OS vulnerabilities and raised the following issues related to DevTest services.


#1. Java Deserialization Vulnerability Detected tcp over ssl 
#2. Java SSL KeyStore Password Disclosure Vulnerability
#3. Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) tcp over ssl CVE-2016-2183 
#4. SSL/TLS Server supports TLSv1.0 tcp over ssl 

 

Environment

All supported DevTest Environments

Resolution

The below settings should resolve these 4 concerns that are listed above.  

1) In all of the  VMOptions files (e.g., Registry.vmoptions, Simulator.vmoptions, etc.)
put this in:  -Dhttps.protocols=TLSv1.2  or -Dhttps.protocols=TLSv1.2,TLSv1.1

This will "disable" TLSv1, SSLv3 and, optionally, TLSv1.1, which have known vulnerabilities.  TLSv1.2 is the strongest SSL protocol currently supported (TLSv1.3 was only just released by IETF (Internet Engineering Task Force (IETF)); I don't know of any implementations that are available yet; its not something we provide).  

2) In their site.properties or local.properties, add this:


lisa.server.https.cipher.suites=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,\
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,\
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
TLS_RSA_WITH_AES_128_CBC_SHA,\
TLS_RSA_WITH_AES_128_CBC_SHA256,\
TLS_RSA_WITH_AES_128_GCM_SHA256,\


1.The "RSA+EXPORT" ciphers are supported;
2.The size of the RSA public key in certificate is not stronger than 1024;
3.The temporary RSA key size is less than 1024;
4.The temporary RSA key is stable(used multiple times);

Besides adding a list of accepted cipher suites to local.properties, the java.security file can be updated, too. There may be two java.security files they need to touch: one's in DevTestHome\jre\lib\security\ and one's in JAVA_HOME/jre/lib/security. Once both those files are found, apply these changes: 


If you want to set which TLS will be used, you can do it in the same file via property jdk.tls.client.protocols. 

Let’s say, we want to use only TLSv1.2 and only A (strong) grade cipher suites. 

* jdk.tls.client.protocols=TLSv1.2 
* jdk.tls.disabledAlgorithms=TLSv1, MD5, SSLv3, DSA, DESede, DES, RSA keySize < 2048 


Note to disabled algorithms: DESede and DES are disabled to disable 3DES. RSA keySize <2048, this will disable all RSA with 2048 and less bits. 

 

Additional Information

We are limited to what ciphers the JVM supports, For more information on how to configure the security of the Oracle JDK and JRE see https://www.java.com/en/configure_crypto.html.

The following knowledge base article discusses the 'lisa.server.https.cipher.suites' property: https://knowledge.broadcom.com/external/article?articleId=144183

DevTest Documentation can be found at: https://techdocs.broadcom.com/us/en/ca-enterprise-software/devops/devtest-solutions/10-5/reference/property-descriptions/custom-property-files/local-properties-file.html#concept.dita_3f01127616df0b8bb3296906a21a3df06a484f00_SSLProperties