Technical Blog Post
Abstract
Fixing APM UI 7.7 vulnerabilities
Body
Running Nessus scan tool revealed some vulnerabilities on port 9443 used by APM UI 7.7
This is the list of the most important vulnerabilities and suggestions provided by the tool to possibly fix them.
A) [high] [9443/101155152/www] SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)
Nessus tools recommend to "Disable SSLv3" and set httpd.conf file to disable SSLv3 and SSLv2 for each context that contains "SSLEnable" -> SSLProtocolDisable SSLv3 SSLv2
B) [high] [9443/101155152/www] SSL Version 2 and 3 Protocol Detection (POODLE)
Nessus tools recommend to Configure the server to disable SSLv2 and SSLv3 and enable TLS (preferably v1.2)
C) [high] [9443/101155152/www] TLS Version 1.2 Protocol Not Enabled
Nessus tools recommend to Enable TLSv1.2. and for IBM HTTP Server -> Ensure the configuration for each Virtual Host container contains the TLSv12 option for the SSLProtocolEnable directive "SSLProtocolEnable TLSv11 TLSv1.2"
D) [high] [9443/101155152/www] SSL Certificate Chain Contains RSA Keys Less Than 2048 bits
Nessus tools recommend to Replace the certificate in the chain with the RSA key less than 2048 bits in length with a longer key, and reissue any certificates it signed.
E) [medium] [9443/101155152/www] SSL RC4 Cipher Suites Supported
Nessus tools recommend to Reconfigure the affected application, if possible, to avoid use of RC4 ciphers.
This refers to SECRET KEY CIPHERS and not public key algorithms which are typically 1024 bits and higher.
F) [medium] [9443/101155152/www] Secure Socket Layer (SSL) Expired Certificate
Nessus tools recommend to Replace the expired certificate with a new, valid certificate.
How can the above vulnerabilities be addressed for APM UI 7.7 ?
Vulnerabilities A-B-C are addressed by the following instructions.
Blaze team stated that POODLE & BEAST vulnerabilities are fixed in Blaze 2.3.0.3 and above versions.
Blaze 2.3.0.3 is adopted in APM UI 7.7 IF03.
APMUI configuration file need to be changed to disable SSL, and support TLS v1.2 and above. These are the required steps:
1) Apply APMUI 7.7 IF3, because Blaze 2.3.0.3 is picked up in this fix.
The instruction for applying APM UI 7.7 IF3:
http://www-01.ibm.com/support/docview.wss?uid=swg24042494
2) Add the below line into APMUI 7.7 configuration file
<APMUI_HOME>/usr/servers/apmui/server.xml
<ssl id="defaultSSLConfig" sslProtocol="TLSv1.2"
keyStoreRef="defaultKeyStore"/>
after the line
<keyStore id="defaultKeyStore" password="<password>"/>
3) Restart APMUI application service by command "server stop apmui" and "server start apmui"
For the issues concerning certificates (D and F), You need to generate a new certificate to replace the original one.
Please refer the below instructions:
APMUI 7.7 Generating certificate signing request for Certificate Authority
http://www-01.ibm.com/support/docview.wss?uid=swg21685912
Note:
If you do not have a CA, please self-create a new ssl certificate using below instructions:
How can I renew an expired certificate in APMUI
https://developer.ibm.com/answers/questions/254322/how-can-i-renew-expir/
In this way you can create your custom certificate instead of using the product provided certificate, in case also deciding to use a greater keysize.
You can do it by using securityUtility, with flag --keySize.
More details here:
https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/rwlp_command_securityutil.html
Using ikeyman GUI instead, you can select the key size directly from a menu
For the vulnerability E, the last one we are discussing here:
E) [medium] [9443/101155152/www] SSL RC4 Cipher Suites Supported
the situation is a bit more difficult because this one is related to the underlying WAS Liberty profile and the possible solution is described in this technote
https://www-01.ibm.com/support/docview.wss?uid=swg21701503
The suggested patch/fix applies to WAS Liberty, but usually APM UI 7.7 delivers also WAS updates into APM fixes and as per APMUI dev team, it is not supported to patch WAS Liberty separately.
There is anyway a workaround described in the "Workaround and Mitigations" section at the bottom where it suggests how to turn off RC4 cipher suite manually:
Edit the java.security file and turn off RC4 by adding:
jdk.tls.disabledAlgorithms=SSLv3,RC4
Thanks for your time.
Subscribe and follow us for all the latest information directly on your social feeds:
|
|
|
Check out all our other posts and updates: | |
Academy Blogs: | https://goo.gl/U7cYYY |
Academy Videos: | https://goo.gl/FE7F59 |
Academy Google+: | https://goo.gl/Kj2mvZ |
Academy Twitter : | https://goo.gl/GsVecH |
UID
ibm11085139