search cancel

SSL/TLS Use of Weak Cipher Rivest Cipher 4 vulnerabilities and DCI UI

book

Article ID: 229911

calendar_today

Updated On:

Products

Dynamic Capacity Intelligence

Issue/Introduction

There are a couple of known vulnerabilities about SSL/TLS Use of Weak Cipher Rivest Cipher 4 (RC4/ARC4/ARCFOUR):

cve-2015-2808

cve-2013-2566

Could the WebUI of Dynamic Capacity Intelligence (DCI) be affected by these ones?

 

Environment

Release : 2.0
Component : DYNAMIC CAPACITY INTELLIGENCE, zPrice Manager. 

Resolution

The WebUI doesn't support HTTPS, secured sockets. The WebUI resides in the ZFS file and runs under control of the IBM provided HTTP server. The UI itself does run from the browser, but the HTTP server should be running behind any firewall that you have established. The UI is a retrieval only application, it only extracts data from the ZFS files, through the HTTP server and builds the reports in the browser. Nothing is sent back to be intercepted or exposed. As you manipulate reports, we continually retrieve the data and rebuild the reports. If we were going to run a more interactive UI, where we were driving application code in some sort of WEB server like Tomcat or WAS, and passing data from webapp to z/PM or DCI then we would absolutely need to implement and support secured protocols. But that isn't the case at this time.