Fixing VAPT vulnerabilities
VAPT vulnerability - Insecure Transport: Weak SSL Cipher
Solution
- Disable support for weak ciphers on the server. Weak ciphers are generally defined as:
- Any cipher with key length less than 128 bits.
- Cipher suites that do not have Perfect Forward Secrecy (PFS).
- All CBC mode ciphers due to POODLE, Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL, and Sleeping POODLE vulnerabilities.
- All ciphers that use SHA1 for cryptographic hash function.
VAPT vulnerability - Insecure Transport: Weak SSL Protocol
Solution
- Configure webserver to use TLSv1.2 or higher.
- Disable TLSv1 and TLSv1.1.
Note: The above solutions were tested on WebSphere® Application Server Liberty 21 with Java™ 8 Update 212.
Resolving the vulnerabilities
- Navigate to the
<LIBERTY_INSTALLATION>/usr/servers/<instance>/logs
folder. -
Open the
messages.log
and check value of the java.home property.******************************************************************************** product = WebSphere Application Server 21.0.0.10 (wlp-1.0.57.cl211020210920-1900) wlp.install.dir = /home/admin1/username/Installed/Liberty/ java.home = /usr/lib/jvm/java-8-openjdk-amd64/jre java.version = 1.8.0_432 java.runtime = OpenJDK Runtime Environment (1.8.0_432-8u432-ga~us1-0ubuntu2~22.04-ga) os = Linux (6.8.0-40-generic; amd64) (en_IN) process = 3123947@vlakersite ********************************************************************************
- Navigate to the
python JAVA_HOME/jre/lib/security
folder and edit java.security file. -
Search for the jdk.tls.disabledAlgorithms variable and add the following values if not present.
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, CBC, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ ECDH
Verifying whether the weak SSL ciphers and protocols were disabled
- Go to Testing TLS/SSL encryption site.
- Download latest the latest tool:
testssl.sh-3.0.9.tar.gz
-
Untar the file and run below command
chmod a+x testssl.sh
-
Run the script by using the following command.
./testssl.h <pmf-server-url>:<port>
- Verify the following points.
- TLSv1 and TLSv1 are not offered.
- Obsolete CBC ciphers (AES, ARIA etc.) are not offered.
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA should not be offered.
Last modified on