My prod & dev MoM (EM) server has come under a Nessus scan vulnerability that needs immediate remediation. I've also opened up a case (01285297) with CA Support. I'd also like to put it out the Community in-parallel to get additional assistance.
Since this is a security hit for my org, it needs to be resolved ASAP or it could affect "authority to operate" for APM altogether.
Thanks in advance for any/all help with this issue.
Here are the details of the vulnerability:
Yanna - please post your findings here if you'd like.
Feedback from our Security Team on this vulnerability...
"I'm assuming that Nessus is querying the port and geting a response back from it which is how it's identifing the vulnerability. Question is, what is it, on the server, that responds to traffic on that port. Thats the config you probably need to look at"
So, the question is...which config file would this be in? I've already updated the following properties in MoM's "em-jetty-config.xml" file and still getting hit by the above vulnerability.
<Set name="cipherSuites"> <Array type="java.lang.String"> <Item>ECDHE-RSA-AES128-GCM-SHA256</Item> <!-- Item>SSL_DH_anon_WITH_RC4_128_MD5</Item --> </Array> </Set>
<Set name="protocols"> <Array type="java.lang.String"> <Item>TLSv1.2</Item> <!-- <Item>TLSv1.1</Item> --> <!-- <Item>TLSv1</Item> --> </Array> </Set>
<Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>SSLv3</Item> </Array> </Set>
We met on this Friday. Note that you have a case and a community post and appears to be a configuration setting. I suggest working through the case since this is a tough issue to resolve without webex.
Worked with CA Support last week on Friday. The solution was to make changes to java.security file.
In IntrosocpeEnterpriseManager.properties file it mentions the following:'
# Set the enabled cipher suites.# A comma-separated list of cipher suites.# If not specified, use the default enabled cipher suites.#introscope.enterprisemanager.ciphersuites.channel2=
Since the above property is commented out, it means that EM (in this case the MoM) is using the default java security policy located under <EM_Home>/jre/lib/security/java.security. This is the current property:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
Comment out the above property, copy the above property and change it to (ensure you backup the file before making any changes to it):
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, MD5, DSA, DESede, DES, RSA keySize < 2048
Save the the file, and then restart the EM.
This should take care of the SSLv3 as well as medium to weak cipher suite issue on your Nessus security scans.Thanks Hallett_German and Yanna for all your help.