Security vulnerability issue "SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)" for APM 10.7 reported by Nessus during a security scan.

SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

The remote host allows SSL/TLS connections with one or more
Diffie-Hellman moduli less than or equal to 1024 bits. Through
cryptanalysis, a third party may be able to find the shared secret in
a short amount of time (depending on modulus size and attacker
resources). This may allow an attacker to recover the plaintext or
potentially violate the integrity of connections.

Vulnerable connection combinations :

  SSL/TLS version  : TLSv1.2
  Cipher suite     : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA
  Diffie-Hellman MODP size (bits) : 1024
    Warning - This is a known static Oakley Group2 modulus. This may make
    the remote host more vulnerable to the Logjam attack.
  Logjam attack difficulty : Hard (would require nation-state resources)

  SSL/TLS version  : TLSv1.2
  Cipher suite     : TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256
  Diffie-Hellman MODP size (bits) : 1024
    Warning - This is a known static Oakley Group2 modulus. This may make
    the remote host more vulnerable to the Logjam attack.
  Logjam attack difficulty : Hard (would require nation-state resources)

  SSL/TLS version  : TLSv1.2
  Cipher suite     : TLS1_DHE_RSA_WITH_AES_128_CBC_SHA256
  Diffie-Hellman MODP size (bits) : 1024
    Warning - This is a known static Oakley Group2 modulus. This may make
    the remote host more vulnerable to the Logjam attack.
  Logjam attack difficulty : Hard (would require nation-state resources)

  SSL/TLS version  : TLSv1.2
  Cipher suite     : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  Diffie-Hellman MODP size (bits) : 1024
    Warning - This is a known static Oakley Group2 modulus. This may make
    the remote host more vulnerable to the Logjam attack.
  Logjam attack difficulty : Hard (would require nation-state resources)

We observed that one APM environment is showing this security vulnerability issue while another APM environment is not showing this security vulnerability issue. How can we address this security vulnerability issue?

Release : 10.7.0

Component : APMISP

Disable weak cyphers in jetty config files:

introscope-home/config/em-jetty-config.xml

AND

introscope-home/config/webview-jetty-config.xml

....

<!-- Include or exclude specific ciphers as needed -->
                    <Set name="excludeCipherSuites">
                      <Array type="java.lang.String">
                        <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
                        <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
                        <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
                        <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
                        <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                      </Array>

...

Note: By default em-jetty-config.xml and webview-jetty-config.xml files do not have any cypher defined in these jetty config files.

If this does not help, we suggest you to do the following:

Consult with your security team and discuss why one APM environment is showing these security vulnerabilities while the other APM environment is not showing these security vulnerabilities.

Get the details about the application name, process name, port number and also location of the files that these security vulnerabilities are related to. This way you can demine how to proceed further on this issue.