Vulnerability on CAPM DC - SSH weaknesses exposed
search cancel

Vulnerability on CAPM DC - SSH weaknesses exposed

book

Article ID: 204850

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

An internal security scan reveals the following security vulnerabilities which needs to be remediated.

Please let me know how to fix these vulnerabilities.

 

Environment

Release : 20.2

Component : IM Polling

Cause

The karaf daemon runs an SSH server.

The only time it would be used is if support needed to SSH into karaf to check on running bundles while troubleshooting an issue.

Resolution

There are 2 possible solutions for this issue.

1. Port 8601 should be firewalled to be only locally accessible. 

2. rm –f /opt/[IMDataAggregator|IMDataCollector]/apache-karaf-2.4.3/etc/host.key


  edit /opt/[IMDataAggregator|IMDataCollector]/apache-karaf-2.4.3/etc/org.apache.karaf.shell.cfg


  uncomment keySize line and set keySize to 4096


  uncomment algorithm line and set algorithm to RSA


  Restart the DC. These can also be used for the DA if needed. 

Additional Information

Broadcom plans to update to a newer version of karaf in a future build which may offer more flexibility for adding custom headers.

12.2020 - There is no eta for completion of this work.

Attachments