vulnerability on VNA server Weak SSL/TLS Key Exchange
search cancel

vulnerability on VNA server Weak SSL/TLS Key Exchange

book

Article ID: 257977

calendar_today

Updated On:

Products

Network Observability Virtual Network Assurance

Issue/Introduction

We have received a report of a vulnerability on VNA server:

Change the SSL/TLS server configuration to only allow strong key exchanges.

Key exchanges should provide at least 112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges.

Environment

Release : 22.2.5 and older

Resolution

Please follow below instruction to execute the command with root privilege.

  1. Go to VNA wildfly install location (default /opt/CA/VNA/wildfly/bin/ your path may vary)
  2. Open Jboss console (./jboss-cli.sh)
  3. type connect to connect to the console
  4. Once connected execute command  ==> /subsystem=elytron/server-ssl-context=applicationSSC:write-attribute(name=cipher-suite-filter,value="ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305")
  5. Success message will be returned. Post that exit from Jboss cli by typing exit command.
  6. Restart wildfly service (systemctl restart wildfly)

.

 

.

[root@system ~]# whoami

root

[root@system ~]# cd /opt/CA/VNA/wildfly/bin/

[root@system bin]# ./jboss-cli.sh

You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.

[disconnected /] connect

Unable to connect due to unrecognised server certificate

Subject    - CN=system,OU=Broadcom,O=Support,L=Portsmouth,ST=NH,C=US

Issuer     - CN=DX NetOps Intermediate

Valid From - Thu Dec 15 19:07:20 UTC 2022

Valid To   - Fri Dec 15 19:07:19 UTC 2023

 

Subject    - CN=DX NetOps

Issuer     - CN=DX NetOps

Valid From - Wed Dec 07 16:31:30 UTC 2022

Valid To   - Tue Dec 02 16:31:02 UTC 2042

 

Subject    - CN=DX NetOps

Issuer     - CN=DX NetOps

Valid From - Wed Dec 07 16:31:03 UTC 2022

Valid To   - Tue Dec 02 16:31:02 UTC 2042

 

 

Accept certificate? [N]o, [T]emporarily, [P]ermanently : P

[standalone@localhost:9993 /] /subsystem=elytron/server-ssl-context=applicationSSC:write-attribute(name=cipher-suite-filter,value="ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305")

    "outcome" => "success",

    "response-headers" => {

        "operation-requires-reload" => true,

        "process-state" => "reload-required"

    }

}

 

[standalone@localhost:9993 /] exit

[root@system bin]# systemctl restart wildfly

.

Additional Information

You only have to accept the jboss certs the first time the console is used, so you may not see that part.

Powered by Wolken Software