ActiveMQ Application port 8161 Vulnerability

book

Article ID: 191950

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

Hi Team,

We found vulnerability under port 8161 which is used by ActiveMQ, which is a pre-requisition software for CA PIM when we setup in the beginning time.

Manage find the link: https://knowledge.broadcom.com/external/article/97680/vulnerability-on-active-mq-process-on-po.html

But here is the question:
1) How do we modify the password? Try from IE, login with admin account, couldn't find the location. (see attach)
    If we directly change from files (already log in as admin and stop MQ service, but gives error 'access denied'

2) What is the effect if we change this password, will it affect the performance of the CA PIM?

3) Does this link resolve the VA below?

NameDescriptionSolution
SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)The remote host allows SSL/TLS connections with one or more
Diffie-Hellman moduli less than or equal to 1024 bits. Through
cryptanalysis, a third party may be able to find the shared secret in
a short amount of time (depending on modulus size and attacker
resources). This may allow an attacker to recover the plaintext or
potentially violate the integrity of connections.
Reconfigure the service to use a unique Diffie-Hellman moduli of 2048
bits or greater.
SSL Medium Strength Cipher Suites Supported (SWEET32)The remote host supports the use of SSL ciphers that offer medium
strength encryption. Nessus regards medium strength as any encryption
that uses key lengths at least 64 bits and less than 112 bits, or
else that uses the 3DES encryption suite.

Note that it is considerably easier to circumvent medium strength
encryption if the attacker is on the same physical network.
To disable SHA1 and CBC mode cipher encryption and enable CTR or GCM cipher mode encryption.

Please refer attach for more details.

Thanks.

Environment

Release :

Component : CA ControlMinder

Resolution

Follow these steps to mitigate the SWEETY32 attack.

Pre-requisite : jdk 1.8 version

1) Navigate to folder(or similar) C:\jdk1.8.0\jre\lib\security

2) Open java.security

3) edit the line that contains "jdk.tls.disabledAlgorithms"

4) Merge these values to existing ones "SSLv3, DES, DESede, RC4, MD5withRCA"

5) Restart ActiveMQ service and Web Server