Penetration test complains about weak cipher
Article ID: 130428
Updated On:
Products
CA Application Performance Management Agent (APM / Wily / Introscope)
INTROSCOPE
Issue/Introduction
Our security team ran a penetration test against our Wily install and the result says that Wily supports SSL Medium Strength Cipher Suites.
Description The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.
Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network. Solution Reconfigure the affected application if possible to avoid use of medium strength ciphers.
The finding applies to the following two processes - which are the Enterprise Manager and the WebView processes:
./jre/bin/java -Xms4096m -Xmx8192m -Djava.awt.headless=true -Dmail.mime.charset=UTF-8 -Dorg.owasp.esapi.resources=./config/esapi -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -Xss512k com.zerog.lax.LAX /export/appl/wilyca/Introscope10.3.0.19/5000/Introscope_Enterprise_Manager.lax /tmp/env.properties.17739 wily 17776
./jre/bin/java -Xms256m -Xmx1024m -Djava.awt.headless=true -Dorg.owasp.esapi.resources=./config/esapi -Dsun.java2d.noddraw=true -Dorg.osgi.framework.bootdelegation=org.apache.xpath com.zerog.lax.LAX /export/appl/wilyca/Introscope10.3.0.19/5000/Introscope_WebView.lax /tmp/env.properties.17776
The following ciphersuites shows up in security report.
DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA
How to disable above ciphersuites within Enterprise Manager and WebView?
Description The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.
Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network. Solution Reconfigure the affected application if possible to avoid use of medium strength ciphers.
The finding applies to the following two processes - which are the Enterprise Manager and the WebView processes:
./jre/bin/java -Xms4096m -Xmx8192m -Djava.awt.headless=true -Dmail.mime.charset=UTF-8 -Dorg.owasp.esapi.resources=./config/esapi -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -Xss512k com.zerog.lax.LAX /export/appl/wilyca/Introscope10.3.0.19/5000/Introscope_Enterprise_Manager.lax /tmp/env.properties.17739 wily 17776
./jre/bin/java -Xms256m -Xmx1024m -Djava.awt.headless=true -Dorg.owasp.esapi.resources=./config/esapi -Dsun.java2d.noddraw=true -Dorg.osgi.framework.bootdelegation=org.apache.xpath com.zerog.lax.LAX /export/appl/wilyca/Introscope10.3.0.19/5000/Introscope_WebView.lax /tmp/env.properties.17776
The following ciphersuites shows up in security report.
DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA
How to disable above ciphersuites within Enterprise Manager and WebView?
Environment
Release:
Component: APMISP
Component: APMISP
Resolution
We have tried following setting jdk.tls.disabledAlgorithms in file <EM-WV-Home>/jre/lib/security/java.security on 10.3.0.19:
dk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA
and it did not work.
We tried following setting:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DES, DESede
Compared to original values in file: jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
We only added: DES, DESede
And it helped to remove all ciphers with 3DES (also named DES-EDE or DES-CBC3 in various contexts).
We tested that this setting is correctly applied with cipherscan that reports all ciphers suites that are available for connecting:
https://github.com/mozilla/cipherscan
We suggest to test with following.
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DES, DESede
dk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA
and it did not work.
We tried following setting:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DES, DESede
Compared to original values in file: jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
We only added: DES, DESede
And it helped to remove all ciphers with 3DES (also named DES-EDE or DES-CBC3 in various contexts).
We tested that this setting is correctly applied with cipherscan that reports all ciphers suites that are available for connecting:
https://github.com/mozilla/cipherscan
We suggest to test with following.
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DES, DESede
Feedback
Yes
No
Powered by
