BDSSA: How to disable Triple DES/3DES - CVE-2016-2183 - Sweet32

Version 1
    Share:|

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BMC Decision Support - Server Automation (5 Viewer, 1 Query License)


    COMPONENT:

    BladeLogic Decision Support for Server Automation


    APPLIES TO:

    all BDSSA versions



    PROBLEM:

    The default configuration of BDSSA includes the use of the 3DES cipher suite.  This cipher suite has been determined to be weak and should be removed from usage. More information about the vulnerability can be found in the MITRE CVE dictionary and NIST NVD.
    How can I check for and remove usage of the weak 3DES cipher suite in BDSSA ?

     


    SOLUTION:

     

    How to check for usage of the 3DES cipher suite

       Please review the How to check for usage of the 3DES cipher suit in article 000147506 and use the BDSSA host and ports instead of the BSA host and ports.  For BDSSA the ports checked should be 9443 (BDS Console), 443 (Apache WebServer) and the BDSSA Authentication service (9640)  

    To remediate the BDSSA services

      

    Apache Tomcat (BDS Console)

      

    In <BDSSA Install>/tomcat/conf/server.xml, add or modify the ciphers attribute in the <Connector> tag for the connector listening on 9443.
     

      
    <Connector port="9443" [....]        ciphers="TLS_RSA_WITH_AES_256_CBC_SHA" [...] />
     The ciphers listed should not include any   DES or   3DES ciphers.  In the example above we have configured a single cipher -   TLS_RSA_WITH_AES_256_CBC_SHA.  
    After making the change, restart the Tomcat service.  

    Apache WebServer

      

    Change the files httpd-ssl.conf and httpd-ssl.conf.tmpl located at <BDSSA install>/webserver/conf/extra, so that the value of parameter SSLCipherSuite is as seen in block below.

       
    SSLCipherSuite AES256-SHA
      
    After making the changes above restart the Apache Webserver service  

    BDSSA Authentication Service

    Alter the   EnabledCipherSuites setting using  the   blasadmin utility on the BDSSA server  
    blasadmin -a set app enabledciphersuites TLS_RSA_WITH_AES_256_CBC_SHA
    Restart the BDSSA Authentication Service after making the change. 

    Re-run the check for the vulnerability after making the changes to ensure the   DES/3DES ciphers have been disabled in the BDSSA services. 

     


    Article Number:

    000123007


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles