MOI security vulnerability fix for SSH ciphers and TLS security issue with DAAS ports

book

Article ID: 221417

calendar_today

Updated On:

Products

CA Mainframe Operational Intelligence

Issue/Introduction

Using the attached security vulnerability patch-ssh-and-daas_1628619072372.sh script:

1) this patch addresses the SSH vulnerability by updating the Ciphers used for SSH in the MOI appliance file  /etc/ssh/sshd_config file as follows: 

Ciphers aes128-ctr,aes192-ctr,aes256-ctr
KexAlgorithms diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

2)  it also removes the data service (daas) ports  7160 and 7161  by updating the MOI appliance file /opt/moi/dataservice/normal/docker-compose.yml

          to address the TLS vulnerability with these ports.

 

Note that by turning off ports 7160 and 7161, Vantage Integration(deep linking) with the MOI UI WILL NOT be available.   

Only use this security vulnerability patch, it Vantage deep linking with MOI is not needed. 

   

 

Environment

Release : 2.0

Component : MF OPERATIONAL INTELLIGENCE

Resolution

Steps to run the patch script on each MOI Appliance that is installed:

1) Download/Copy the patch-ssh-and-daas_1628619072372.sh file to the MOI appliance box.

2) Give execute permission to rpatch-ssh-and-daas_1628619072372.sh using the following command

   chmod +x patch-ssh-and-daas_1628619072372.sh

3) Execute the script using the following command

   ./patch-ssh-and-daas_1628619072372.sh

4) Once the execution is complete, the dataservice_dataservice_1 will be restarted since the daas ports were removed.

5) Execute command      docker ps -a   to monitor the health of the containers.                                                

   (wait 5 mins and check to ensure that all the Docker containers are up and healthy)

Attachments

patch-ssh-and-daas_1628619072372.sh get_app