Skip to main content

Security Vulnerability for Webcache -- SSL Weak Cipher Suites Supported


SSL Vulnerability with Webcache with SSL Weak Cipher


Following is one of the reports from Nessus.

SSL Weak Cipher Suites Supported

Synopsis:
The remote service supports the use of weak SSL ciphers.

Description:
The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. Note: This is considerably easier to exploit if the attacker is on the same physical network.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

See also:
http://www.openssl.org/docs/apps/ciphers.html

Solution:
Reconfigure the affected application if possible to avoid use of weak ciphers.



This is usually reported from your security scanner.
It does not matter if you have a strong encryption with 128 bit, it all depends on your SSL Cipher version supported. In security it is said that with a weak SSL cipher version server is still vulnerable to attacks.

There are 3 types of SSL Version,

SSL 2.0, 3.0 and 3.1 or TLS. TLS stands for Transport Layer Security. SSL 2.0 which is the oldest version supported is considered as weak and needs to be disabled.

To get rid of the error first check if your SSL port,

Go to your webcahe home and opmn.

$ORACLE_HOME/opmn/bin/opmnctl status -l

-------------------+--------------------+---------+----------+------------+----------+-----------+------
ias-component      | process-type       |     pid | status   |        uid |  memused |    uptime | ports
-------------------+--------------------+---------+----------+------------+----------+-----------+------
HTTP_Server        | HTTP_Server        |  933924 | Alive    |  327877050 |     9056 |  00:40:56 | http1:7778,http2:7200
LogLoader          | logloaderd         |     N/A | Down     |        N/A |      N/A |       N/A | N/A
dcm-daemon         | dcm-daemon         |     N/A | Down     |        N/A |      N/A |       N/A | N/A
OC4J               | home               | 1941518 | Alive    |  327877051 |    42648 |  00:40:58 | ajp:12508,rmi:12408,jms:12608
WebCache           | WebCache           | 3408104 | Alive    |  327877052 |   700644 |  00:40:58 | http:7777,invalidation:9401,statistics:9402,https:443,http_1:80
WebCache           | WebCacheAdmin      | 1200336 | Alive    |  327877053 |    18860 |  00:40:58 | administration:9400
DSA                | DSA                |     N/A | Down     |        N/A |      N/A |       N/A | N/A



In my case my https port is 443.

Now use the following command and check if SSLv2 is used.

openssl s_client -ssl2 -connect localhost:443
CONNECTED(00000003)

This gets connected with SSL version v2, it means that SSL 2.0 is enabled and the server is vulnerable to attacks.

To disable SSL 2.0,

Open webcache.xml under $ORACLE_HOME/webcache.

Modify the line below,

 <LISTEN IPADDR="ANY" PORT="443" PORTTYPE="NORM" SSLENABLED="SSLV3_V2H" CLIENT_CERT="NO" STRONG_CRYPTO_ONLY="NO" Key="IPADDR PORT">

to

 <LISTEN IPADDR="ANY" PORT="443" PORTTYPE="NORM" SSLENABLED="SSLV3" CLIENT_CERT="NO" STRONG_CRYPTO_ONLY="NO" Key="IPADDR PORT">


Here I have modified SSLENABLED="SSLV3_V2H" to SSLENABLED="SSLV3"


Once the file is modified restart your webcache component.

opmnctl restartproc process-type=WebCache

Now test if SSL 2.0 has been disabled with the same command,

openssl s_client -ssl2 -connect localhost:443
CONNECTED(00000003)
1576972:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:



This has wored and you see an handshake failure on port 443.










Comments

Guest said…
Hey, nice site you have here! Keep up the excellent work!



ISTQB Training Institute in Chennai
Hello! Nice post! Is this possible to use TLS instead SSL?
sathyaramesh said…
All are saying the same thing repeatedly, but in your blog I had a chance to get some useful and unique information, I love your writing style very much, I would like to suggest your blog in my dude circle, so keep on updates.
Software Testing Training in Chennai
Software Testing Course in Chennai
Hadoop Training in Chennai
Python Training in Chennai
Software Testing Training in Porur
Software Testing Training in Adyar
Software Testing Training in Tnagar

Popular posts from this blog

SQL Interview Questions on Subqueries

SUB Queries:
1. List the employees working in research department 2. List employees who are located in New York and Chicago
3. Display the department name in which ANALYSTS are working
4. Display employees who are reporting to JONES
5. Display all the employees who are reporting to Jones Manager
6. Display all the managers in SALES and ACCOUNTING department
7. Display all the employee names in Research and Sales Department who are having at least 1 person reporting to them
8. Display all employees who do not have any reportees
9. List employees who are having at least 2 reporting
10. List the department names which are having more than 5 employees
11. List department name having at-least 3 salesman
12. List employees from research and accounting having at-least 2 reporting
13. Display second max salary
14. Display 4th max salary
15. Display 5th max salary  -- Answer for nth Max Salary
Co-Related Subqueries:
16. Write a query to get 4th max salary from EMP table
17. Write a query to get 2nd…

Basics of RDBMS

Data
Small set of information becomes data, this set of information helps make decision. Data is always some useful information.


Database
Place where you store the data. Database represents some aspect of the real world called "miniworld". A database is designed, built and populated with data for a specific purpose. It has intended group of users and some preconceived applications in which these users are interested.

In other words, a database has some source from which data is derived, some degree of interaction with events in the real world and an audience that is actively interested in the contents of the database.

Database can also be defined as collection of one or more tables.

Ex: Mobile, human brain etc



DBMS (Database Management System)
Is a program that stores retrieves and modifies data in the database on request.

Study of different techniques of design, development and maintenance of the database

Types of DBMS
These types are based upon their management of database s…

Answers for SQL Functions

1. SQL> SELECT empno, ename FROM emp WHERE Length(ename) = 4;

2. SQL> SELECT empno, ename, job FROM emp where Length(job)=7;

3. SQL> SELECT Length('qspiders') - Length(replace('qspiders','s','')) FROM dual;

4. SQL>  SELECT empno, ename, job FROM emp WHERE Instr(job,'MAN') >0;

5. SQL> SELECT empno, ename, job FROM emp WHERE Instr(job, 'MAN') =1;

6. SQL> SELECT empno, ename, job FROM emp WHERE (Length(ename) - Length(Replace(ename, 'L',''))) = 1;

7. SQL> SELECT * FROM dept WHERE Instr(dname,'O') > 0;

8. SQL> SELECT Concat(ename,' working as a ') || Concat(job, ' earns ') || Concat(sal, '  in ') || Conc
at('dept ',deptno) AS text from emp;

OR

SQL> SELECT Concat(Concat(Concat(Concat(Concat(Concat(Concat(ename,' working as a '), job),' earns '), sal),'  in '),'dept '), deptno) AS text FROM emp;

9. SQL> SELECT empno, ename…