-1

Qualis team found a vulnerability with our glassfish with port no 3920 .

glassfish version :- glassfish-3.1.2.2

Port no :- 3920,3820

Below are the details from Qualis

Messages encrypted with LOW encryption ciphers are easy to decrypt. Commercial SSL servers should only support MEDIUM or HIGH strength ciphers to guarantee transaction security.

Impact :- An attacker can exploit this vulnerability to decrypt secure communications without authorization.

Let us know , how to fix this vulnerability for port 3920 and 3820 in Glassfish-3.1.2.2 .

HBruijn
  • 77,029
  • 24
  • 135
  • 201
user1726453
  • 131
  • 2
  • 5

2 Answers2

0

The SSL/TLS standards don't mandate a single specific encryption cipher, but allow the client and the server to negotiate to select one they both support.

To improve interoperability most server implementations support - by default - the largest possible range of ciphers, including some which are now considered weak (e.g. RC4). That's what triggers Qualis.

In your Glassfish server you can override the defaults and restrict the list of supported encryption ciphers in the configuration. Check the create-ssl directive and set for instance:

create-ssl --ssl2enabled=false --ssl3enabled=true --tlsenabled=true ....
HBruijn
  • 77,029
  • 24
  • 135
  • 201
0

In case others are trying to perform this task, the following information can be found within the DTD for the domain (glassfish/lib/dtds/sun-domain_1_3.dtd):

ssl3-tls-ciphers
    A comma-separated list of the SSL3 ciphers used, with the
    prefix + to enable or - to disable, for example
    +SSL_RSA_WITH_RC4_128_MD5. Allowed SSL3/TLS values are those
    that are supported by the JVM for the given security provider
    and security service configuration. If no value is specified,
    all supported ciphers are assumed to be enabled.

The following command line can then be used to set the ciphers: WARNING, the ciphers being used are an example, make sure you set them to something that will work in your enviroment.

asadmin set 'configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.ssl3-tls-ciphers=+SSL_RSA_WITH_RC4_128_MD5,-SSL_RSA_WITH_NULL_MD5'
Enter admin user name>  admin
Enter admin password for user "appservd">
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.ssl3-tls-ciphers= SSL_RSA_WITH_RC4_128_MD5,-SSL_RSA_WITH_NULL_MD5
Command set executed successfully.

NOTE: The output that gets echoed is incorrrect, grepping the domain.xml shows that its set properly:

grep SSL_RSA ~/domains/domain1/config/domain.xml
            <ssl key-store="keystore.jks" ssl3-tls-ciphers="+SSL_RSA_WITH_RC4_128_MD5,-SSL_RSA_WITH_NULL_MD5" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" trust-store="cacerts.jks" cert-nickname="s1as"></ssl>

Alternatively, use asadmin get to retrieve the config:

asadmin get 'configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.*'                                  Enter admin user name>  admin
Enter admin password for user "appservd">
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.allow-lazy-init=true
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.cert-nickname=s1as
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.classname=com.sun.enterprise.security.ssl.GlassfishSSLImpl
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.client-auth=
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.client-auth-enabled=false
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.key-store=keystore.jks
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.key-store-password-provider=plain
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.ssl-inactivity-timeout=30
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.ssl2-enabled=false
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.ssl3-enabled=false
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.ssl3-tls-ciphers= SSL_RSA_WITH_RC4_128_MD5,-SSL_RSA_WITH_NULL_MD5
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls-enabled=true
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls-rollback-enabled=true
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls11-enabled=true
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls12-enabled=true
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.trust-max-cert-length=5
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.trust-store=cacerts.jks
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.trust-store-password-provider=plain
Command get executed successfully.
MarkBarry
  • 81
  • 1
  • 4