Vulnerability Assessment reports PIM ports are having the following vulnerability
Name | Description | Solution |
SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) | The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. Through cryptanalysis, a third party may be able to find the shared secret in a short amount of time (depending on modulus size and attacker resources). This may allow an attacker to recover the plaintext or potentially violate the integrity of connections. |
Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater. |
SSL Medium Strength Cipher Suites Supported (SWEET32) | The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite. Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network. |
To disable SHA1 and CBC mode cipher encryption and enable CTR or GCM cipher mode encryption. |
Release :
Component : CA ControlMinder
Follow these steps to mitigate both vulnerabilities.
This is based on jdk 1.8 version
1) Navigate to folder(or similar) C:\jdk1.8.0\jre\lib\security
2) Open java.security
3) edit the line that contains "jdk.tls.disabledAlgorithms" as below.
From | jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768 |
To | jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 2048, \ 3DES_EDE_CBC, \ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, \ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
!! You can add or remove the ciphers as needed.
4) Restart tomcat and other PIM services
Before the change:
nmap -sV --script ssl-enum-ciphers -p 8443 {ENTM IP}
| ssl-enum-ciphers: |
After:
nmap -sV --script ssl-enum-ciphers -p 8443 {ENTM IP}
PORT STATE SERVICE VERSION |