Automic Workload Automation

 View Only
  • 1.  Microsoft hardening - RC4 ciphers for NETLOGON - CVE-2022-38023

    Posted Mar 21, 2023 06:55 AM

    Hi Community,

    Microsoft has announced that they are retiring the RC4 cipher in relation to the Netlogon protocol vulnerability. Does anyone know if automic might run into a problem with normal ldaps connections or ldap sync about this issue? 

    Microsoft hardening - RC4 ciphers for NETLOGON - CVE-2022-38023



    ------------------------------
    Olgun Onur Ozmen
    https://www.linkedin.com/in/olgunonurozmen/
    ------------------------------


  • 2.  RE: Microsoft hardening - RC4 ciphers for NETLOGON - CVE-2022-38023

    Posted Mar 21, 2023 07:01 AM

    I am already facing the issues and have raised a support case. RC4 disabled in our organization but AE does not support the latest crypto AES256-SHA1

    Error:

    20230105/052302.903 - 42     U00045006 Checking Kerberos token for Single sign-on.
    20230105/052302.908 - 42     U00045014 Exception 'java.security.PrivilegedActionException: "null"' at 'java.security.AccessController.doPrivileged()'.
    20230105/052302.909 - 42     U00045015 The previous error was caused by 'org.ietf.jgss.GSSException: "Failure unspecified at GSS-API level (Mechanism level: Encryption type RC4 with HMAC is not supported/enabled
    )"' at 'sun.security.jgss.krb5.Krb5Context.acceptSecContext():859'.
    20230105/052302.910 - 42     U00045015 The previous error was caused by 'sun.security.krb5.KrbException: "Encryption type RC4 with HMAC is not supported/enabled"' at 'sun.security.krb5.EncryptionKey.findKey():54
    4'.



    ------------------------------
    Dominic I
    ------------------------------



  • 3.  RE: Microsoft hardening - RC4 ciphers for NETLOGON - CVE-2022-38023

    Posted Mar 21, 2023 07:07 AM

    do you experience this with normal ldap and ldaps connection or when using kerberos or sso?



    ------------------------------
    Olgun Onur Ozmen
    https://www.linkedin.com/in/olgunonurozmen/
    ------------------------------



  • 4.  RE: Microsoft hardening - RC4 ciphers for NETLOGON - CVE-2022-38023

    Posted Mar 21, 2023 07:10 AM

    The normal ldap connection is working fine. Kerberos is throwing errors.



    ------------------------------
    Dominic I
    ------------------------------



  • 5.  RE: Microsoft hardening - RC4 ciphers for NETLOGON - CVE-2022-38023

    Posted Mar 21, 2023 10:49 AM

    If you can send the result of the case here, we will be informed. After all, this situation concerns all companies.



    ------------------------------
    Olgun Onur Ozmen
    https://www.linkedin.com/in/olgunonurozmen/
    ------------------------------



  • 6.  RE: Microsoft hardening - RC4 ciphers for NETLOGON - CVE-2022-38023

    Posted Mar 22, 2023 01:10 AM

    The support team is still working on the issue. I will let you know once it's fixed.

    Current error:

    2023-03-22 06:00:46,144 pool-1-thread-10       [TRACE] NOLOGIN/- 28E82D2A5E16B939AB61C700D1700658-0  +4 [com.uc4.ecc.backends.impl.dataservice.connection.ConnectionService] - Closed connection com.uc4.webui.api.connection.AEConnectionAdapter@43bd076d
    2023-03-22 06:00:46,145 pool-1-thread-10       [TRACE] NOLOGIN/- 28E82D2A5E16B939AB61C700D1700658-0  +4 [com.uc4.ecc.plugins.login.view.LoginDialogPresenter] - Failed login
    com.uc4.webui.util.MessageBoxException: Message box received: 3210 of type E with inserts   shown, message 'Logon error: Access denied'.
            at com.uc4.webui.util.MessageBoxException.provoke(MessageBoxException.java:33)
            at com.uc4.webui.api.connection.AESessionInfoAdapter.provokeMessageBoxException(AESessionInfoAdapter.java:46)
            at com.uc4.ecc.plugins.login.api.BaseAutomationEngineLoginBehaviour.createLoginResult(BaseAutomationEngineLoginBehaviour.java:99)
            at com.uc4.ecc.plugins.login.api.BaseAutomationEngineLoginBehaviour.initiateLogin(BaseAutomationEngineLoginBehaviour.java:73)
            at com.uc4.ecc.plugins.login.behaviours.kerberos.KerberosLoginBehaviour.initiateLogin(KerberosLoginBehaviour.java:65)
            at com.uc4.ecc.plugins.login.api.BaseAutomationEngineLoginBehaviour.initiateLogin(BaseAutomationEngineLoginBehaviour.java:40)
            at com.uc4.ecc.plugins.login.backend.LoginService.login(LoginService.java:100)
            at com.uc4.ecc.plugins.login.api.ILoginService$pbryglu.login(Unknown Source)
            at com.uc4.ecc.plugins.login.view.LoginDialogPresenter.performAutomationEngineLogin(LoginDialogPresenter.java:266)
            at com.uc4.ecc.plugins.login.view.LoginDialogPresenter.login(LoginDialogPresenter.java:231)
            at com.uc4.ecc.framework.core.async.BaseRequestCoordinator$1$1.call(BaseRequestCoordinator.java:237)
            at com.uc4.ecc.framework.core.pool.ContextAwareExecutorService$CallableImplementation.call(ContextAwareExecutorService.java:79)
            at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:131)
            at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:74)
            at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:82)
            at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
            at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
            at java.base/java.lang.Thread.run(Thread.java:829)
    2023-03-22 06:00:46,145 pool-1-thread-10       [TRACE] NOLOGIN/- 28E82D2A5E16B939AB61C700D1700658-0  +4 [com.uc4.ecc.framework.entrypoint.navigation.PluginInstantiator] - cleanup called on com.uc4.ecc.framework.entrypoint.navigation.PluginInstantiator@18142374
    java.lang.Throwable: null
            at com.uc4.ecc.framework.entrypoint.navigation.PluginInstantiator.cleanup(PluginInstantiator.java:478)
            at com.uc4.ecc.plugins.login.view.LoginDialogPresenter.cleanupFailedLogin(LoginDialogPresenter.java:321)
            at com.uc4.ecc.plugins.login.view.LoginDialogPresenter.login(LoginDialogPresenter.java:254)
            at com.uc4.ecc.framework.core.async.BaseRequestCoordinator$1$1.call(BaseRequestCoordinator.java:237)
            at com.uc4.ecc.framework.core.pool.ContextAwareExecutorService$CallableImplementation.call(ContextAwareExecutorService.java:79)
            at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:131)
            at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:74)
            at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:82)
            at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
            at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
            at java.base/java.lang.Thread.run(Thread.java:829)
    2023-03-22 06:00:46,145 pool-1-thread-10       [DEBUG] NOLOGIN/- 28E82D2A5E16B939AB61C700D1700658-0  +4 [com.uc4.ecc.framework.entrypoint.navigation.PluginInstantiator] - All plugin instances stopped
    2023-03-22 06:00:46,145 pool-1-thread-12       [TRACE] NOLOGIN/- 28E82D2A5E16B939AB61C700D1700658-0  +4 [com.uc4.ecc.framework.core.async.BaseRequestCoordinator] - Query with hashCode 1538288550 has just failed due to: java.lang.RuntimeException: com.uc4.webui.util.MessageBoxException: Message box received: 3210 of type E with inserts   shown, message 'Logon error: Access denied'.
    java.lang.RuntimeException: com.uc4.webui.util.MessageBoxException: Message box received: 3210 of type E with inserts   shown, message 'Logon error: Access denied'.
            at com.uc4.ecc.plugins.login.view.LoginDialogPresenter.login(LoginDialogPresenter.java:259)
            at com.uc4.ecc.framework.core.async.BaseRequestCoordinator$1$1.call(BaseRequestCoordinator.java:237)
            at com.uc4.ecc.framework.core.pool.ContextAwareExecutorService$CallableImplementation.call(ContextAwareExecutorService.java:79)
            at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:131)
            at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:74)
            at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:82)
            at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
            at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
            at java.base/java.lang.Thread.run(Thread.java:829)
    Caused by: com.uc4.webui.util.MessageBoxException: Message box received: 3210 of type E with inserts   shown, message 'Logon error: Access denied'.
            at com.uc4.webui.util.MessageBoxException.provoke(MessageBoxException.java:33)
            at com.uc4.webui.api.connection.AESessionInfoAdapter.provokeMessageBoxException(AESessionInfoAdapter.java:46)
            at com.uc4.ecc.plugins.login.api.BaseAutomationEngineLoginBehaviour.createLoginResult(BaseAutomationEngineLoginBehaviour.java:99)
            at com.uc4.ecc.plugins.login.api.BaseAutomationEngineLoginBehaviour.initiateLogin(BaseAutomationEngineLoginBehaviour.java:73)
            at com.uc4.ecc.plugins.login.behaviours.kerberos.KerberosLoginBehaviour.initiateLogin(KerberosLoginBehaviour.java:65)
            at com.uc4.ecc.plugins.login.api.BaseAutomationEngineLoginBehaviour.initiateLogin(BaseAutomationEngineLoginBehaviour.java:40)
            at com.uc4.ecc.plugins.login.backend.LoginService.login(LoginService.java:100)
            at com.uc4.ecc.plugins.login.api.ILoginService$pbryglu.login(Unknown Source)
            at com.uc4.ecc.plugins.login.view.LoginDialogPresenter.performAutomationEngineLogin(LoginDialogPresenter.java:266)
            at com.uc4.ecc.plugins.login.view.LoginDialogPresenter.login(LoginDialogPresenter.java:231)
            ... 8 common frames omitted



    ------------------------------
    Dominic I
    ------------------------------