CVE scan reports weak cipher ECDHE-RSA-AES256-SHA supported on port 8443 used for Controller–Service Engine secure-channel communication.
search cancel

CVE scan reports weak cipher ECDHE-RSA-AES256-SHA supported on port 8443 used for Controller–Service Engine secure-channel communication.

book

Article ID: 424141

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

  • Secure channel communication between the Avi Controller and the Service Engine occurs on port 8443.

  • A vulnerability scan detects the use of the cipher suite ECDHE-RSA-AES256-SHA for this communication.

  • The vulnerability scanning tool flags this cipher as weak.

Environment

  • VMware Avi Load Balancer

Cause

 

  • Port 8443 is used for internal management communication between the Avi Controller and the Service Engine.

  • This communication is handled by Envoy, which uses predefined, system-level cipher suites.

  • The cipher suite ECDHE-RSA-AES256-SHA is included in this internal cipher set and cannot be configured or removed through the UI or API.

  • As a result, vulnerability scanners detect and report this cipher during security scans.

 

Resolution

Temporary Workaround

If the cipher must be removed to satisfy vulnerability scan requirements, follow the steps below:

  • Log in to the Controller using CLI.

  • Navigate to: 

    /var/lib/avi/envoy

  • Edit the file envoy_lds.yaml and remove the cipher:

    ECDHE-RSA-AES256-SHA

  • Save the file and restart the Envoy service:

    systemctl restart envoy.service
  • Repeat the steps on all Controller nodes, restarting Envoy one node at a time 
  • The change is temporary and will be reverted after a Controller reboot.

Permanent Resolution

A permanent fix to address the weak cipher will be provided in a future release.

 

Powered by Wolken Software