Skip to main content

Security Vulnerability for Webcache -- SSL Weak Cipher Suites Supported

SSL Vulnerability with Webcache with SSL Weak Cipher

Following is one of the reports from Nessus.

SSL Weak Cipher Suites Supported

The remote service supports the use of weak SSL ciphers.

The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. Note: This is considerably easier to exploit if the attacker is on the same physical network.

Risk factor:

CVSS Base Score:4.3

See also:

Reconfigure the affected application if possible to avoid use of weak ciphers.

This is usually reported from your security scanner.
It does not matter if you have a strong encryption with 128 bit, it all depends on your SSL Cipher version supported. In security it is said that with a weak SSL cipher version server is still vulnerable to attacks.

There are 3 types of SSL Version,

SSL 2.0, 3.0 and 3.1 or TLS. TLS stands for Transport Layer Security. SSL 2.0 which is the oldest version supported is considered as weak and needs to be disabled.

To get rid of the error first check if your SSL port,

Go to your webcahe home and opmn.

$ORACLE_HOME/opmn/bin/opmnctl status -l

ias-component      | process-type       |     pid | status   |        uid |  memused |    uptime | ports
HTTP_Server        | HTTP_Server        |  933924 | Alive    |  327877050 |     9056 |  00:40:56 | http1:7778,http2:7200
LogLoader          | logloaderd         |     N/A | Down     |        N/A |      N/A |       N/A | N/A
dcm-daemon         | dcm-daemon         |     N/A | Down     |        N/A |      N/A |       N/A | N/A
OC4J               | home               | 1941518 | Alive    |  327877051 |    42648 |  00:40:58 | ajp:12508,rmi:12408,jms:12608
WebCache           | WebCache           | 3408104 | Alive    |  327877052 |   700644 |  00:40:58 | http:7777,invalidation:9401,statistics:9402,https:443,http_1:80
WebCache           | WebCacheAdmin      | 1200336 | Alive    |  327877053 |    18860 |  00:40:58 | administration:9400
DSA                | DSA                |     N/A | Down     |        N/A |      N/A |       N/A | N/A

In my case my https port is 443.

Now use the following command and check if SSLv2 is used.

openssl s_client -ssl2 -connect localhost:443

This gets connected with SSL version v2, it means that SSL 2.0 is enabled and the server is vulnerable to attacks.

To disable SSL 2.0,

Open webcache.xml under $ORACLE_HOME/webcache.

Modify the line below,




Here I have modified SSLENABLED="SSLV3_V2H" to SSLENABLED="SSLV3"

Once the file is modified restart your webcache component.

opmnctl restartproc process-type=WebCache

Now test if SSL 2.0 has been disabled with the same command,

openssl s_client -ssl2 -connect localhost:443
1576972:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

This has wored and you see an handshake failure on port 443.


Guest said…
Hey, nice site you have here! Keep up the excellent work!

ISTQB Training Institute in Chennai
Hello! Nice post! Is this possible to use TLS instead SSL?
sathyaramesh said…
All are saying the same thing repeatedly, but in your blog I had a chance to get some useful and unique information, I love your writing style very much, I would like to suggest your blog in my dude circle, so keep on updates.
Software Testing Training in Chennai
Software Testing Course in Chennai
Hadoop Training in Chennai
Python Training in Chennai
Software Testing Training in Porur
Software Testing Training in Adyar
Software Testing Training in Tnagar

Popular posts from this blog

Basics of RDBMS

Data Small set of information becomes data, this set of information helps make decision. Data is always some useful information. Database Place where you store the data. Database represents some aspect of the real world called "miniworld". A database is designed, built and populated with data for a specific purpose. It has intended group of users and some preconceived applications in which these users are interested. In other words, a database has some source from which data is derived, some degree of interaction with events in the real world and an audience that is actively interested in the contents of the database. Database can also be defined as collection of one or more tables. Ex: Mobile, human brain etc DBMS (Database Management System ) Is a program that stores retrieves and modifies data in the database on request. Study of different techniques of design, development and maintenance of the database Types of DBMS These types are based upon their m

SQL Interview Questions on Subqueries

SUB Queries: 1. List the employees working in research department 2. List employees who are located in New York and Chicago 3. Display the department name in which ANALYSTS are working 4. Display employees who are reporting to JONES 5. Display all the employees who are reporting to Jones Manager 6. Display all the managers in SALES and ACCOUNTING department 7. Display all the employee names in Research and Sales Department who are having at least 1 person reporting to them 8. Display all employees who do not have any reportees 9. List employees who are having at least 2 reporting 10. List the department names which are having more than 5 employees 11. List department name having at-least 3 salesman 12. List employees from research and accounting having at-least 2 reporting 13. Display second max salary 14. Display 4th max salary 15. Display 5th max salary  -- Answer for nth Max Salary Co-Related Subqueries: 16. Write a query to get 4th max salary from EMP table 17. Wri

Answers for SQL Functions

1. SQL> SELECT empno, ename FROM emp WHERE Length(ename) = 4; 2. SQL> SELECT empno, ename, job FROM emp where Length(job)=7; 3. SQL> SELECT Length('qspiders') - Length(replace('qspiders','s','')) FROM dual; 4. SQL>  SELECT empno, ename, job FROM emp WHERE Instr(job,'MAN') >0; 5. SQL> SELECT empno, ename, job FROM emp WHERE Instr(job, 'MAN') =1; 6. SQL> SELECT empno, ename, job FROM emp WHERE (Length(ename) - Length(Replace(ename, 'L',''))) = 1; 7. SQL> SELECT * FROM dept WHERE Instr(dname,'O') > 0; 8. SQL> SELECT Concat(ename,' working as a ') || Concat(job, ' earns ') || Concat(sal, '  in ') || Conc at('dept ',deptno) AS text from emp; OR SQL> SELECT Concat(Concat(Concat(Concat(Concat(Concat(Concat(ename,' working as a '), job),' earns '), sal),'  in '),'dept '), deptno) AS text FROM emp; 9. SQL