Our Spectrum Servers are scanned with the following findings ON PORTS 14012 (SpectroSERVER, 14014 (LocServer) ,14016 (nameserv), High port 5XXXX (used by SpectroSERVER).
DO NOTE: the port scanned was NOT 443 which is used in OneClick and is configured with proper SSL cipher and protocol.
Can advise on what instance and how to resolve the Weak SSL Security on the ports?
Release : 10.3.x , 10.4.x
Component : Spectrum Core / SpectroSERVER/ OneClick Server
Spectrum supports secure communication between SpectroSERVER and OneClick server using VisiBroker which internally uses 3DES for encryption till release 10.3.1. But this encryption methodology was changed from default in Java 8 release. So when Spectrum was upgraded to use Java 8, Anonymous ciphers were used for communication between SpectroSERVER and OneClick Server. VisiBroker doesn’t allow to change the default encryption methodology, leading to security vulnerability.
This has to be addressed between Broadcom and Micro Focus. We will work with Micro Focus and come up with a solution in one of the upcoming releases.
WORKAROUND: How to DISABLE Secure CORBA: KB Link
This has been fixed out of the box in Spectrum 21.2.1 and higher.
Secure CORBA Enhancements
Secure communication between the OneClick server and SpectroSERVERs uses certificates and TLS v1.3 for authentication.