IBM Support

Fixing APM UI 7.7 vulnerabilities

Technical Blog Post


Abstract

Fixing APM UI 7.7 vulnerabilities

Body

Running Nessus scan tool revealed some vulnerabilities on port 9443 used by APM UI 7.7  

This is the list of the most important vulnerabilities and suggestions provided by the tool to possibly fix them.
   
A)    [high] [9443/101155152/www] SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)  
Nessus tools recommend to "Disable SSLv3" and set httpd.conf file to disable SSLv3 and SSLv2 for each context  that contains "SSLEnable" -> SSLProtocolDisable SSLv3 SSLv2  
   
B)    [high] [9443/101155152/www] SSL Version 2 and 3 Protocol Detection (POODLE)  
Nessus tools recommend to Configure the server to disable SSLv2 and SSLv3 and enable TLS (preferably v1.2)  
 
C)    [high] [9443/101155152/www] TLS Version 1.2 Protocol Not Enabled
Nessus tools recommend to Enable TLSv1.2. and for IBM HTTP Server -> Ensure the configuration for each Virtual Host container contains the TLSv12 option for the SSLProtocolEnable directive "SSLProtocolEnable TLSv11 TLSv1.2"  

D)    [high] [9443/101155152/www] SSL Certificate Chain Contains RSA Keys Less Than 2048 bits  
Nessus tools recommend to Replace the certificate in the chain with the RSA key less than 2048 bits in length with a longer key, and reissue any certificates it signed.  
   
E)    [medium] [9443/101155152/www] SSL RC4 Cipher Suites Supported  
Nessus tools recommend to Reconfigure the affected application, if  possible, to avoid use of RC4 ciphers.  
This refers to SECRET KEY CIPHERS and not public key algorithms which are typically 1024 bits and higher.  
   
F)    [medium] [9443/101155152/www] Secure Socket Layer (SSL) Expired Certificate  
Nessus tools recommend to Replace the expired certificate with a new, valid certificate.
   

How can the above vulnerabilities be addressed for APM UI 7.7 ?


Vulnerabilities A-B-C are addressed by the following instructions.

Blaze team stated that POODLE & BEAST vulnerabilities are fixed in Blaze 2.3.0.3 and above versions.  
Blaze 2.3.0.3 is adopted in APM UI 7.7 IF03.  
APMUI configuration file need to be changed to disable SSL, and support TLS v1.2 and above.  These are the required steps:  
   
1) Apply APMUI 7.7 IF3, because Blaze 2.3.0.3 is picked up in this fix.
The instruction for applying APM UI 7.7 IF3:

http://www-01.ibm.com/support/docview.wss?uid=swg24042494  
   
2) Add the below line into APMUI 7.7 configuration file  

<APMUI_HOME>/usr/servers/apmui/server.xml  
        <ssl id="defaultSSLConfig" sslProtocol="TLSv1.2"  
     keyStoreRef="defaultKeyStore"/>  


   after the line  
     <keyStore id="defaultKeyStore" password="<password>"/>  
   
3) Restart APMUI application service by command "server stop apmui" and  "server start apmui"  
   
For the issues concerning certificates (D and F), You need to generate a new certificate to replace the original one.
Please refer the below instructions:


APMUI 7.7 Generating certificate signing request for Certificate Authority  
   
http://www-01.ibm.com/support/docview.wss?uid=swg21685912  
   
Note:
If you do not have a CA, please self-create a new ssl certificate using below instructions:  
   
How can I renew an expired certificate in APMUI  
https://developer.ibm.com/answers/questions/254322/how-can-i-renew-expir/  
   
In this way you can create your custom certificate instead of using the product provided certificate, in case also deciding to use a greater keysize.

You can do it by using securityUtility, with flag --keySize.
More details here:  
   
https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/rwlp_command_securityutil.html  
   
Using ikeyman GUI instead, you can select the key size directly from a menu

 

For the vulnerability E, the last one we are discussing here:

E)    [medium] [9443/101155152/www] SSL RC4 Cipher Suites Supported

the situation is a bit more difficult because this one is related to the underlying WAS Liberty profile and the possible solution is described in this technote  
   
https://www-01.ibm.com/support/docview.wss?uid=swg21701503  
   
The suggested patch/fix applies to WAS Liberty, but usually APM UI 7.7 delivers also WAS updates into  APM fixes and as per APMUI dev team, it is not supported to patch WAS Liberty separately.

There is anyway a workaround described in the "Workaround and Mitigations" section at the bottom where  it suggests how to turn off RC4 cipher suite manually:  
 
Edit the java.security file and turn off RC4 by adding:  
jdk.tls.disabledAlgorithms=SSLv3,RC4

 

Thanks for your time.

 

 

Tutorials Point

 

Subscribe and follow us for all the latest information directly on your social feeds:

 

 

image

 

image

 

image

 

 

  

Check out all our other posts and updates:

Academy Blogs:https://goo.gl/U7cYYY
Academy Videos:https://goo.gl/FE7F59
Academy Google+:https://goo.gl/Kj2mvZ
Academy Twitter :https://goo.gl/GsVecH


image

[{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":""}]

UID

ibm11085139