search cancel

Vulnerabilities under port 509


Article ID: 230168


Updated On:


CA Workload Automation AE


We need help in fixing of some vulnerabilities on CA WAAE 12.0.1 server with EEM utility.
I've got a list of vulnerabilities from Qualys, that use port 509. As I understand, all of them belong to dxserver or EEM.
- Secure Sockets Layer/Transport Layer Security (SSL/TLS) Use of Weak Cipher Rivest Cipher 4 (RC4/ARC4/ARCFOUR)
- SSL Server Allows Anonymous Authentication Vulnerability
- Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)



Release : 12.0

Component : CA Workload Automation AE (AutoSys)


You can configure a cipher of your wish(CA Directory supported) so that 509 starts communicating with that cipher and does not allow NULL ciphers.

This can be done in the following dxc file.


# eiam repository
set ssl = {
cert-dir = "config/ssld/personalities"
ca-file = "config/ssld/itechpoz-trusted.pem"
cipher = "ECDHE-RSA-AES256-GCM-SHA384"
protocol = tls

OpenSSL s_client request output after enabling ECDHE cipher

#openssl s_client -connect -cipher aNULL
WARNING: can't open config file: C:/OpenSSL/openssl.cnf
25612:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 170 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : 0000
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1638514009
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Also CVE-2016-2183, CVE-2013-2566 and CVE-2015-2808 can be avoided by configuring the ECDHE-* or DHE-* suite of ciphers.