search cancel

Cloud Proxy Vulnerabilities

book

Article ID: 186817

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE DX Application Performance Management

Issue/Introduction

A vulnerability scan identified some vulnerabilities. They are related to support for static key cipher suites and insecure TLS/SSL protocols supported. We need your assistance to determine if we can add configuration changes to address or provide information to justify exception. 

Cloud Proxy Version: 54.45.0.125

The vulnerability scanning tool: Rapid 7 Nexpose, v6.6.3

Environment

Release : DX APM SaaS, Enterprise Manager Release: 19.10.04 (Build 990148)

 

Resolution

The property in application.yml file and property apm.server.secureProtocols can be changed to TLSv1.2.

Also, JAVA allows cipher suites to be removed/excluded from use in the security policy file called java.security that’s located in your JRE: $PATH/[JRE]/lib/security The jdk.tls.disabledAlgorithms property in the policy file controls TLS cipher selection.

Oracle has more information about this.


Weak cipher suites can be disabled at JDK level with following properties,

jdk.tls.client.protocols=TLSv1.2
jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, DESede, DES, RSA keySize < 2048

Cloud proxy doesn't have any external configuration to enable/disable the cipher suites.