IBM Support

Fixing APM UI 7.7 vulnerabilities

Technical Blog Post


Fixing APM UI 7.7 vulnerabilities


Running Nessus scan tool revealed some vulnerabilities on port 9443 used by APM UI 7.7  

This is the list of the most important vulnerabilities and suggestions provided by the tool to possibly fix them.
A)    [high] [9443/101155152/www] SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)  
Nessus tools recommend to "Disable SSLv3" and set httpd.conf file to disable SSLv3 and SSLv2 for each context  that contains "SSLEnable" -> SSLProtocolDisable SSLv3 SSLv2  
B)    [high] [9443/101155152/www] SSL Version 2 and 3 Protocol Detection (POODLE)  
Nessus tools recommend to Configure the server to disable SSLv2 and SSLv3 and enable TLS (preferably v1.2)  
C)    [high] [9443/101155152/www] TLS Version 1.2 Protocol Not Enabled
Nessus tools recommend to Enable TLSv1.2. and for IBM HTTP Server -> Ensure the configuration for each Virtual Host container contains the TLSv12 option for the SSLProtocolEnable directive "SSLProtocolEnable TLSv11 TLSv1.2"  

D)    [high] [9443/101155152/www] SSL Certificate Chain Contains RSA Keys Less Than 2048 bits  
Nessus tools recommend to Replace the certificate in the chain with the RSA key less than 2048 bits in length with a longer key, and reissue any certificates it signed.  
E)    [medium] [9443/101155152/www] SSL RC4 Cipher Suites Supported  
Nessus tools recommend to Reconfigure the affected application, if  possible, to avoid use of RC4 ciphers.  
This refers to SECRET KEY CIPHERS and not public key algorithms which are typically 1024 bits and higher.  
F)    [medium] [9443/101155152/www] Secure Socket Layer (SSL) Expired Certificate  
Nessus tools recommend to Replace the expired certificate with a new, valid certificate.

How can the above vulnerabilities be addressed for APM UI 7.7 ?

Vulnerabilities A-B-C are addressed by the following instructions.

Blaze team stated that POODLE & BEAST vulnerabilities are fixed in Blaze and above versions.  
Blaze is adopted in APM UI 7.7 IF03.  
APMUI configuration file need to be changed to disable SSL, and support TLS v1.2 and above.  These are the required steps:  
1) Apply APMUI 7.7 IF3, because Blaze is picked up in this fix.
The instruction for applying APM UI 7.7 IF3:  
2) Add the below line into APMUI 7.7 configuration file  

        <ssl id="defaultSSLConfig" sslProtocol="TLSv1.2"  

   after the line  
     <keyStore id="defaultKeyStore" password="<password>"/>  
3) Restart APMUI application service by command "server stop apmui" and  "server start apmui"  
For the issues concerning certificates (D and F), You need to generate a new certificate to replace the original one.
Please refer the below instructions:

APMUI 7.7 Generating certificate signing request for Certificate Authority  
If you do not have a CA, please self-create a new ssl certificate using below instructions:  
How can I renew an expired certificate in APMUI  
In this way you can create your custom certificate instead of using the product provided certificate, in case also deciding to use a greater keysize.

You can do it by using securityUtility, with flag --keySize.
More details here:  
Using ikeyman GUI instead, you can select the key size directly from a menu


For the vulnerability E, the last one we are discussing here:

E)    [medium] [9443/101155152/www] SSL RC4 Cipher Suites Supported

the situation is a bit more difficult because this one is related to the underlying WAS Liberty profile and the possible solution is described in this technote  
The suggested patch/fix applies to WAS Liberty, but usually APM UI 7.7 delivers also WAS updates into  APM fixes and as per APMUI dev team, it is not supported to patch WAS Liberty separately.

There is anyway a workaround described in the "Workaround and Mitigations" section at the bottom where  it suggests how to turn off RC4 cipher suite manually:  
Edit the file and turn off RC4 by adding:  


Thanks for your time.



Tutorials Point


Subscribe and follow us for all the latest information directly on your social feeds:











Check out all our other posts and updates:

Academy Blogs:
Academy Videos:
Academy Google+:
Academy Twitter :


[{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":""}]