Brocade Management Software Community

Expand all | Collapse all


  • 1.  BNA RC4

    Posted 09-28-2015 07:07 AM
    Brocade Security Advisory ID:BSA-2015-007
    states BNA is effected by CVE-2015-2808: and the current assessment is to disable RC4 related cipher in cipher list
    to remove the vulnerability.
    Can anyone tell me the procedure to do this please


  • 2.  Re: BNA RC4

    Posted 09-28-2015 04:26 PM

    One method is to edit jboss/standalone/configuration/standalone-dcm.xml. Find the line starting with "


    Add something like this before the closing tag: 




    Then restart BNA. That will limit the allowed ciphers to only those shown. This may cause issues with browser support. If you're running up to date browsers, you'll be OK. If you're running older client OSes/browsers, you'll have problems (but then you've got lots of other problems anyway)


    There's a few notes on jboss config here:


  • 3.  Re: BNA RC4

    Posted 09-30-2015 03:43 AM

    Hi Lindsay


    the ibm security vulnerability page  ( says CVE-2015-2808 is fixed in version 12.4.2


    so i installed network advisor 12.4.2 and reran nessus scan but the vulnerability is still detected


    i applied the fix you mentioned on the 12.4..2 code (hopefully did this correctly !) and restarted the server and then reran the nessus scan and the vulnerability is still identified





     is there something i haven't done correctly ?





  • 4.  Re: BNA RC4

    Posted 09-30-2015 02:09 PM

    My understanding is that one fix for the issue is to upgrade the JRE to 1.7u85. That changes the default allowed ciphers to remove RC4. (You can still go and explicitly enable it). But the default Brocade BNA 12.4.2 ships with JRE 1.7u80. The IBM version may be modified - either to change the JRE, or to change the configuration.


    I just ran some tests with my lab system. This is a fairly vanilla Brocade version 12.4.2 install. With default settings, I used sslscan to check the allowed ciphers. I got this result:

    lhill@ubuntu:~$ sslscan --tls1|grep Accepted
        Accepted  TLSv1  256 bits  AES256-SHA
        Accepted  TLSv1  168 bits  DES-CBC3-SHA
        Accepted  TLSv1  128 bits  AES128-SHA
        Accepted  TLSv1  128 bits  RC4-SHA

    I then made these changes to standalone-dcm.xml:


    (Note I've added an extra cipher in there for AES256/SHA).


    I then re-started BNA, and re-ran the sslscan tests:

    lhill@ubuntu:~$ sslscan --tls1|grep Accepted
        Accepted  TLSv1  256 bits  AES256-SHA
        Accepted  TLSv1  128 bits  AES128-SHA

    So no more RC4 in there. You can also test this with a one-off test with OpenSSL:


    lhill$ openssl s_client -cipher "RC4-SHA" -connect
    10036:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s23_clnt.c:593:

    (I didn't show it here, but that test succeeded prior to making the config changes)


    What ciphers does Nessus report BNA is running?





  • 5.  Re: BNA RC4

    Posted 10-09-2015 01:26 AM



    thankyou for your reply as this has helped me resolve my issue

    i used your post to show the rc4 alerts were resolved having applied your fix. What my scan also picked up on was rc4 alerts for terminal services which the windows team here have now resolved


    many thanks




  • 6.  Re: BNA RC4

    Posted 10-09-2015 12:00 PM

    Good to hear. Thanks for following up.