Weak key exchange algorithms enabled in NetOps Performance Management
search cancel

Weak key exchange algorithms enabled in NetOps Performance Management


Article ID: 236962


Updated On:


CA Performance Management - Usage and Administration DX NetOps


This shows up in the security scan, can you check if this is CAPM related.

Plugin Output:  The following weak key exchange algorithms are enabled : 


The remote SSH server is configured to allow key exchange algorithms which are considered weak. This is based on the IETF draft document Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-20. Section 4 lists guidance on key exchange algorithms that SHOULD NOT and MUST NOT be enabled. This includes:


Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software versions.

Does the DX NetOps Performance Management release and any of its component systems enable weak key exchange diffie-hellman-group algorithm?

Nessau scanning tools were used to find the problem.


All supported DX NetOps Performance Management releases


  • Triggered by findings from:
    • Data Repository (DR) use of OS SSH server tools.
    • Data Aggregator (DA) and Data Collector (DC) systems running 21.2.2 and older releases
      • The DA/DC karaf process has its own internal sshd service
      • Uses karaf sshd port 8501/8601


How can we remediate this concern?

  • Data Repository (DR)
    • The SSH server Vertica uses is an OS tool.
    • Neither Broadcom nor Vertica database installers install, update or manage it.
    • It's used by Vertica but not owned by it.
    • Consult with system administrators or OS Vendor for input on remediation steps.
  • Data Aggregator (DA) and Data Collector (DC)
    • Only present in 21.2.2 and older releases.
    • Remediated in 21.2.3+ releases which include an update to the karaf version.
    • The new karaf version allows locking down internal sshd and puts in place the user of better algorithms.
    • If running a version 21.2.2 or older upgrade the DA and/or DC(s) involved to remediate the problem.