Return
-
Title
Vulnerability CVE-2015-4000 found on Management server -
Description
A security scan found vulnerability CVE-2015-4000 on Foglight Management Server SSL ports 8443 and 4444.
-
Cause
This is described in NIST's page as:
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
-
Resolution
WORKAROUND
- Edit [fms_home]/server/tomcat/server.xml
- Locate the Connector element and edit the ciphers attribute to remove any ciphers whose name contains "_DHE_". The list should look like this:
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - Save changes
- Edit [fms_home]/config/server.config
- Add server.vm.optionX = "-Djdk.tls.ephemeralDHKeySize=2048"; (replace X with the next number in the sequence of existing JVM options)
- Save changes
- Restart the FMS
A new security scan with the same tool would be ideal to confirm the vulnerability is now resolved.
We have KB 232703 with generic steps for this task and it can be used as reference.STATUS
This has been logged as FOG-657 and FGL-20482, and included in the Foglight version 5.9.8 and higher releases of the Foglight Management Server.
-
Defect ID
FGL-20482,FOG-657