1 Reply Latest reply on Aug 31, 2016 12:28 PM by level0

    VMAN vulnerabilities - Still manual work around or now part of recent updates?


      Hi all, hoping you are able to confirm the below issue -

      The Security Governance team have been over the servers and provided their findings.


      • ssl-cve-2011-3389-beast TLS/SSL Server is enabling the BEAST attack
      • sslv3-cve-2014-3566-poodle TLS/SSL Server is enabling the POODLE attack
      • tlsv1_0-enabled TLS Server Supports TLS version 1.0
      • tlsv1_1-enabled TLS Server Supports TLS version 1.1
      • sslv3-supported TLS/SSL Server Supports SSLv3
      • rc4-cve-2013-2566 TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)
      • ssl-3des-ciphers TLS/SSL Server Supports 3DES Cipher Suite
      • ssl-static-key-ciphers TLS/SSL Server Supports The Use of Static Key Ciphers


      So they have requested -

      Enable TLS1.2

      Disable TLS1.0, TLS1.1, SSLv2, SSLv3 and Ciphers.


      Know there is the following links to help to resolve:




      Obviously from the Tomcat section of the POODLE vulnerability I would only add sslEnabledProtocols="TLSv1.2" which would do some of what is required, but what about the Lighttpd as they don't want TLSv1, or SSLv2


      Will these 2 mitigation links cover off everything on the risk list, or even better - are these risks entirely removed from the latest release of VMan and now no longer required to be done.



        • Re: VMAN vulnerabilities - Still manual work around or now part of recent updates?


          as far as I know, those articles are still relevant. In general, newly found vulnerabilities are being patched with new releases. Some of the issues above were fixed in the latest version, for example SSLv3 was disabled and RC4 ciphers were removed from the cipher suites.


          You are correct that you can easily restrict TLS to 1.2 in tomcat.conf. Lighttpd is, very tricky because the binary is part of VMware Studio bundle and it does not support newer protocols and it was not replaced yet. The risk associated with lighttpd can be mitigated by restricting access to the management console to secure internal network.