dev@glassfish.java.net

[gf-dev] Low cipher issue on glassfish port 3920

From: Krushna Chandra Sahu <mailkrushna_at_gmail.com>
Date: Tue, 22 Jul 2014 19:06:09 +0530

Hi team,

  We found a vulnerability with our glassfish . Below are the details .

glassfish version :- glassfish-3.1.2-b13 Port no :- 3920

Threat :-

SSL encryption ciphers are classified based on encryption key length as
follows:

 HIGH - key length larger than 128 bits
 MEDIUM - key length equal to 128 bits
 LOW - key length smaller than 128 bits

Messages encrypted with LOW encryption ciphers are easy to decrypt.
Commercial SSL servers should only support MEDIUM or HIGH strength ciphers
to guarantee transaction security.

The following link provides more information about this vulnerability:

 Analysis of the SSL 3.0 protocol (
http://www.schneier.com/paper-ssl-revised.pdf)

Please note that this detection only checks for weak cipher support at the
SSL layer. Some servers may implement additional protection at the data
layer. For example, some SSL servers and SSL proxies (such as SSL
accelerators) allow cipher negotiation to complete but send back an error
message and abort further communication on the secure channel. This
vulnerability may not be exploitable for such configurations.

*IMPACT :-*

An attacker can exploit this vulnerability to decrypt secure communications
without authorization.

*Solution :- *

isable support for LOW encryption ciphers.
 Apache
 Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the
following lines:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
For Apache/apache_ssl include the following line in the configuration file
(httpsd.conf):
SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

 Tomcat

sslProtocol="SSLv3"
 ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_W
 ITH_3DES_EDE_CBC_SHA"

 IIS

How to Restrict the Use of Certain Cryptographic Algorithms and Protocols
in Schannel.dll (
http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030) (Windows
restart required)
 How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet
Information Services (
http://support.microsoft.com/default.aspx?scid=kb;en-us;187498) (Windows
restart required)
 Security Guidance for IIS (
http://www.microsoft.com/technet/security/prodtech/IIS.mspx)
 For Novell Netware 6.5 please refer to the following document
SSL Allows the use of Weak Ciphers. -TID10100633 (
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100633.htm)


                       Let me know ,how to fix this with glassfish .

Regards
Krushna
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.