Cloud Proxy Vulnerabilities
Article ID: 186817
Updated On:
Products
CA Application Performance Management Agent (APM / Wily / Introscope)
CA Application Performance Management (APM / Wily / Introscope)
INTROSCOPE
DX Application Performance Management
Issue/Introduction
A vulnerability scan identified some vulnerabilities. They are related to support for static key cipher suites and insecure TLS/SSL protocols supported. We need your assistance to determine if we can add configuration changes to address or provide information to justify exception.
Cloud Proxy Version: 54.45.0.125
The vulnerability scanning tool: Rapid 7 Nexpose, v6.6.3
Environment
Release : DX APM SaaS, Enterprise Manager Release: 19.10.04 (Build 990148)
Resolution
The property in application.yml file and property apm.server.secureProtocols can be changed to TLSv1.2.
Also, JAVA allows cipher suites to be removed/excluded from use in the security policy file called java.security that’s located in your JRE: $PATH/[JRE]/lib/security The jdk.tls.disabledAlgorithms property in the policy file controls TLS cipher selection.
Oracle has more information about this.
Weak cipher suites can be disabled at JDK level with following properties,
jdk.tls.client.protocols=TLSv1.2
jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, DESede, DES, RSA keySize < 2048
Cloud proxy doesn't have any external configuration to enable/disable the cipher suites.
Also, JAVA allows cipher suites to be removed/excluded from use in the security policy file called java.security that’s located in your JRE: $PATH/[JRE]/lib/security The jdk.tls.disabledAlgorithms property in the policy file controls TLS cipher selection.
Oracle has more information about this.
Weak cipher suites can be disabled at JDK level with following properties,
jdk.tls.client.protocols=TLSv1.2
jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, DESede, DES, RSA keySize < 2048
Cloud proxy doesn't have any external configuration to enable/disable the cipher suites.
Feedback
Yes
No
Powered by
