• State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 26 subscribers
  • Views 775 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

VMAN vulnerabilities - Still manual work around or now part of recent updates?

squinsey

Hi all, hoping you are able to confirm the below issue -

The Security Governance team have been over the servers and provided their findings.

  • ssl-cve-2011-3389-beast TLS/SSL Server is enabling the BEAST attack
  • sslv3-cve-2014-3566-poodle TLS/SSL Server is enabling the POODLE attack
  • tlsv1_0-enabled TLS Server Supports TLS version 1.0
  • tlsv1_1-enabled TLS Server Supports TLS version 1.1
  • sslv3-supported TLS/SSL Server Supports SSLv3
  • rc4-cve-2013-2566 TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)
  • ssl-3des-ciphers TLS/SSL Server Supports 3DES Cipher Suite
  • ssl-static-key-ciphers TLS/SSL Server Supports The Use of Static Key Ciphers

So they have requested -

Enable TLS1.2

Disable TLS1.0, TLS1.1, SSLv2, SSLv3 and Ciphers.

Know there is the following links to help to resolve:

support.solarwinds.com/.../Protect_against_POODLE_vulnerability_on_Virtualization_Manager

https://support.solarwinds.com/Success_Center/Virtualization_Manager_(VMAN)/Disable_SSLv3_on_VMAN

Obviously from the Tomcat section of the POODLE vulnerability I would only add sslEnabledProtocols="TLSv1.2" which would do some of what is required, but what about the Lighttpd as they don't want TLSv1, or SSLv2

Will these 2 mitigation links cover off everything on the risk list, or even better - are these risks entirely removed from the latest release of VMan and now no longer required to be done.

Cheers

  • 0

    Hi,

    as far as I know, those articles are still relevant. In general, newly found vulnerabilities are being patched with new releases. Some of the issues above were fixed in the latest version, for example SSLv3 was disabled and RC4 ciphers were removed from the cipher suites.

    You are correct that you can easily restrict TLS to 1.2 in tomcat.conf. Lighttpd is, very tricky because the binary is part of VMware Studio bundle and it does not support newer protocols and it was not replaced yet. The risk associated with lighttpd can be mitigated by restricting access to the management console to secure internal network.

    Regards,

    Jan

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.