ROBOT Vulnerability on CloudProxy 25.2
Article ID: 398233
Updated On:
Products
Issue/Introduction
We recently upgraded our CloudProxies to version 25.2 to address the Spring Traversability vulnerability. After the upgrade, we are seeing ROBOT vulnerability detection on ports 9443 and 3443.
-
Port 9443 is the secure port for Tenant PROD9, and Port 3443 is the secure port for Tenant PROD3.
-
Disabling TLS 1.2 might resolve the vulnerability, but we are concerned that this could lead to agent connection loss.
Resolution
As a workaround. set the flag as below .
# Protocols enabled for encrypted incoming connections (agent side)
# apm.server.secureProtocols: SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
# Protocols enabled for encrypted outgoing connections (SaaS side)
# apm.server.secureClientProtocols: TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
# A regex filter of ciphers for encrypted incoming connections (default: none)
# apm.server.cipherFilter: ^(?!TLS_RSA_)\w+$
Uncommenting the line with apm.server.cipherFilter in configuration of the upcoming cloud proxy version works well to remove ciphersuites using TLS_RSA key exchange. The ciphersuite list reported by cipherscan (with the filter uncommented) contains only ECDHE ciphersuites which are not susceptible to a ROBOT attack.
Feedback
