vulnerability on VNA server Weak SSL/TLS Key Exchange
search cancel

vulnerability on VNA server Weak SSL/TLS Key Exchange

book

Article ID: 257977

calendar_today

Updated On:

Products

DX NetOps CA Virtual Network Assurance

Issue/Introduction

We have received a report of a vulnerability on VNA server:

Change the SSL/TLS server configuration to only allow strong key exchanges.

Key exchanges should provide at least 112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges.

Environment

Release : 22.2.5 and older

Resolution

Please follow below instruction to execute the command with root privilege.

  1. Go to VNA wildfly install location (default /opt/CA/VNA/wildfly/bin/ your path may vary)
  2. Open Jboss console (./jboss-cli.sh)
  3. type connect to connect to the console
  4. Once connected execute command  ==> /subsystem=elytron/server-ssl-context=applicationSSC:write-attribute(name=cipher-suite-filter,value="ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305")
  5. Success message will be returned. Post that exit from Jboss cli by typing exit command.
  6. Restart wildfly service (systemctl restart wildfly)

.

.

[[email protected] ~]# whoami

root

[[email protected] ~]# cd /opt/CA/VNA/wildfly/bin/

[[email protected] bin]# ./jboss-cli.sh

You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.

[disconnected /] connect

Unable to connect due to unrecognised server certificate

Subject    - CN=trond-team-vna,OU=Broadcom,O=Support,L=Portsmouth,ST=NH,C=US

Issuer     - CN=DX NetOps Edu Intermediate

Valid From - Thu Dec 15 19:07:20 UTC 2022

Valid To   - Fri Dec 15 19:07:19 UTC 2023

MD5 : be:b5:13:71:25:bd:fe:11:22:74:56:53:86:04:07:7f

SHA1 : f4:a1:79:64:0c:5f:78:64:84:5f:59:dd:ee:79:1b:a8:d1:d5:a3:c9

 

Subject    - CN=DX NetOps Edu Intermediate

Issuer     - CN=DX NetOps Edu Cert Authority

Valid From - Wed Dec 07 16:31:30 UTC 2022

Valid To   - Tue Dec 02 16:31:02 UTC 2042

MD5 : d0:9b:89:03:36:8b:10:ec:f7:f0:0b:6d:b9:25:8f:65

SHA1 : 6d:6d:c1:f9:f8:e4:a5:98:a9:bb:0d:ae:44:6f:cd:88:97:6d:88:67

 

Subject    - CN=DX NetOps Edu Cert Authority

Issuer     - CN=DX NetOps Edu Cert Authority

Valid From - Wed Dec 07 16:31:03 UTC 2022

Valid To   - Tue Dec 02 16:31:02 UTC 2042

MD5 : 20:58:fe:09:68:be:03:d5:3a:aa:f2:b6:9c:72:48:20

SHA1 : 65:03:c1:be:d0:d4:e6:e4:7c:97:89:ca:06:ec:c2:18:be:40:2e:9a

 

 

Accept certificate? [N]o, [T]emporarily, [P]ermanently : P

[[email protected]:9993 /] /subsystem=elytron/server-ssl-context=applicationSSC:write-attribute(name=cipher-suite-filter,value="ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305")

    "outcome" => "success",

    "response-headers" => {

        "operation-requires-reload" => true,

        "process-state" => "reload-required"

    }

}

 

[[email protected]:9993 /] exit

[[email protected] bin]# systemctl restart wildfly

.

Additional Information

You only have to accept the jboss certs the first time the console is used, so you may not see that part.

Attachments