Security scanners flag the system as being vulnerable to CVE-2009-3555 in VMware vRealize Automation 7.x
search cancel

Security scanners flag the system as being vulnerable to CVE-2009-3555 in VMware vRealize Automation 7.x

book

Article ID: 303171

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

This finding can normally be ignored. The workaround provided in this article will prevent future flagging of this vulnerability on subsequent scans.

Symptoms:
  • You are running VMware vRealize Automation 7.x
  • Security scanners flag the system as being vulnerable to CVE-2009-3555
    • TLS Protocol Session Renegotiation Security Vulnerability


Resolution

VMware is aware of this issue. See the workaround section below for additional information.

Workaround:

Prerequisites

  • Please take simultaneous non-memory snapshots of each virtual appliance(s) in the cluster.

Procedure

  1. To prevent future scans from reporting this vulnerability, you may add the following flag in the ssl_options section of the /etc/rabbitmq/rabbitmq.config file: 
    {client_renegotiation, false}
For example: Add this between {verify, verify_peer} and {fail_if_no_peer_cert,false} as shown below:
{verify, verify_peer},
{client_renegotiation, false},
{fail_if_no_peer_cert, false}
  1. Restart the RabbitMQ server service: 
    service rabbitmq-server restart
Note: This should be done on both appliances during a maintenance window as restarting rabbitmq-server can cause unexpected product behavior such as failing requests in flight.


Additional Information

Impact/Risks:
This is not directly exploitable from a remote machine without having the client x509 certificate for the RabbitMQ server.

Powered by Wolken Software