Fixing VAPT vulnerabilities

VAPT vulnerability - Insecure Transport: Weak SSL Cipher

Solution

  1. Disable support for weak ciphers on the server. Weak ciphers are generally defined as:
    • Any cipher with key length less than 128 bits.
    • Cipher suites that do not have Perfect Forward Secrecy (PFS).
    • All CBC mode ciphers due to POODLE, Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL, and Sleeping POODLE vulnerabilities.
    • All ciphers that use SHA1 for cryptographic hash function.

VAPT vulnerability - Insecure Transport: Weak SSL Protocol

Solution

  • Configure webserver to use TLSv1.2 or higher.
  • Disable TLSv1 and TLSv1.1.

Note: The above solutions were tested on WebSphere® Application Server Liberty 21 with Java™ 8 Update 212.

Resolving the vulnerabilities

  1. Navigate to the <LIBERTY_INSTALLATION>/usr/servers/<instance>/logs folder.

  2. Open the messages.log and check value of the java.home property.

         ********************************************************************************
     product = WebSphere Application Server 21.0.0.10 (wlp-1.0.57.cl211020210920-1900)
     wlp.install.dir = /home/admin1/username/Installed/Liberty/
     java.home = /usr/lib/jvm/java-8-openjdk-amd64/jre
     java.version = 1.8.0_432
     java.runtime = OpenJDK Runtime Environment (1.8.0_432-8u432-ga~us1-0ubuntu2~22.04-ga)
     os = Linux (6.8.0-40-generic; amd64) (en_IN)
     process = 3123947@vlakersite
     ********************************************************************************
  3. Navigate to the python JAVA_HOME/jre/lib/security folder and edit java.security file.

  4. Search for the jdk.tls.disabledAlgorithms variable and add the following values if not present.

     jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, CBC, DES, MD5withRSA, \
     DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
     ECDH

Verifying whether the weak SSL ciphers and protocols were disabled

  1. Go to Testing TLS/SSL encryption site.
  2. Download latest the latest tool: testssl.sh-3.0.9.tar.gz

  3. Untar the file and run below command

    chmod a+x testssl.sh

  4. Run the script by using the following command.

    ./testssl.h <pmf-server-url>:<port>

  5. Verify the following points.
    • TLSv1 and TLSv1 are not offered.
    • Obsolete CBC ciphers (AES, ARIA etc.) are not offered.
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA should not be offered.
Last modified on