search cancel

Weak SSL findings on Secure CORBA Spectrum Ports

book

Article ID: 189064

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

 


Our Spectrum Servers are scanned with the following findings ON PORTS 14012 (SpectroSERVER, 14014 (LocServer) ,14016 (nameserv), High port 5XXXX (used by SpectroSERVER).

 

DO NOTE: the port scanned was NOT 443 which is used in OneClick and is configured with proper SSL cipher and protocol.

Can advise on what instance and how to resolve the Weak SSL Security on the ports?

 

 

Environment

Release : 10.3.x , 10.4.x

Component : Spectrum Core / SpectroSERVER/ OneClick Server

Cause

Spectrum supports secure communication between SpectroSERVER and OneClick server using VisiBroker which internally uses 3DES  for encryption till release 10.3.1. But this encryption methodology was changed from default in Java 8 release. So when Spectrum was upgraded to use Java 8, Anonymous ciphers were used for communication between SpectroSERVER and OneClick Server. VisiBroker doesn’t allow to change the default encryption methodology, leading to security vulnerability.

Resolution

This has to be addressed between Broadcom and Micro Focus. We will work with Micro Focus and come up with a solution in one of the upcoming releases. 

WORKAROUND: How to DISABLE Secure CORBA: KB Link

 

Additional Information

This has been fixed out of the box in Spectrum 21.2.1 and higher.

 

Secure CORBA Enhancements
Secure communication between the OneClick server and SpectroSERVERs uses certificates and TLS v1.3 for authentication.

Secure Corba Enhancements

Attachments