Penetration test complains about weak cipher


Article ID: 130428


Updated On:


APP PERF MANAGEMENT CA Application Performance Management Agent (APM / Wily / Introscope) CUSTOMER EXPERIENCE MANAGER INTROSCOPE


Our security team ran a penetration test against our Wily install and the result says that Wily supports SSL Medium Strength Cipher Suites.

Description The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.
Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network. Solution Reconfigure the affected application if possible to avoid use of medium strength ciphers.

The finding applies to the following two processes - which are the Enterprise Manager and the WebView processes:

./jre/bin/java -Xms4096m -Xmx8192m -Djava.awt.headless=true -Dmail.mime.charset=UTF-8 -Dorg.owasp.esapi.resources=./config/esapi -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -Xss512k com.zerog.lax.LAX /export/appl/wilyca/Introscope10.3.0.19/5000/Introscope_Enterprise_Manager.lax /tmp/ wily 17776

./jre/bin/java -Xms256m -Xmx1024m -Djava.awt.headless=true -Dorg.owasp.esapi.resources=./config/esapi -Dsun.java2d.noddraw=true -Dorg.osgi.framework.bootdelegation=org.apache.xpath com.zerog.lax.LAX /export/appl/wilyca/Introscope10.3.0.19/5000/Introscope_WebView.lax /tmp/ 

The following ciphersuites shows up in security report.

How to disable above ciphersuites within Enterprise Manager and WebView?


Component: APMISP


We have tried following setting jdk.tls.disabledAlgorithms in file <EM-WV-Home>/jre/lib/security/ on
dk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA
and it did not work.
We tried following setting:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DES, DESede
Compared to original values in file: jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
We only added: DES, DESede
And it helped to remove all ciphers with 3DES (also named DES-EDE or DES-CBC3 in various contexts).
We tested that this setting is correctly applied with cipherscan that reports all ciphers suites that are available for connecting:
We suggest to test with following.
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DES, DESede