Issue:
Security scan report "SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability" for port 6547 used by PowerChute.
Product Lines:
PowerChute Business Edition 10.0.1, 10.0.2, 10.0.3, 10.0.4
PowerChute Network Shutdown 4.4, 4,4,1, 4,4,2, 4,4,3
Environment:
All supported OS
Cause:
Week cipher suite
Solution:
Edit the java.security file and disallow DH cipher suite less than 2048
PowerChute Business Edition on Windows OS the java.security file will be found in
C:\Program Files (x86)\APC\PowerChute Business Edition\jre\conf\security if PowerChute has been installed to the default path.
PowerChute Business Edition on Linux OS the java.security file will be found in
/opt/APC/PowerChuteBusinessEdition/jre/config/security if PowerChute has been installed to the default path.
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
# rsa_pkcs1_sha1, secp224r1
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
Change to
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
PowerChute Network Shutdown on Windows 64 bit OS the java.security file will be found in
C:\Program Files\APC\PowerChute\jre_x64\conf\security
PowerChute Network Shutdown 4.4.1 on Linux OS the java.security file will be found in
/opt/APC/PowerChute/jre-15.0.1/config/security if PowerChute has been installed to the default path.
Add the link DH keySize < 2048,
# Example:
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
include jdk.disabled.namedCurves
Add
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, DH keySize < 2048,\
include jdk.disabled.namedCurves
NOTE:
Security scan report "SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability" for port 6547 used by PowerChute.
Product Lines:
PowerChute Business Edition 10.0.1, 10.0.2, 10.0.3, 10.0.4
PowerChute Network Shutdown 4.4, 4,4,1, 4,4,2, 4,4,3
Environment:
All supported OS
Cause:
Week cipher suite
Solution:
Edit the java.security file and disallow DH cipher suite less than 2048
PowerChute Business Edition on Windows OS the java.security file will be found in
C:\Program Files (x86)\APC\PowerChute Business Edition\jre\conf\security if PowerChute has been installed to the default path.
PowerChute Business Edition on Linux OS the java.security file will be found in
/opt/APC/PowerChuteBusinessEdition/jre/config/security if PowerChute has been installed to the default path.
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
# rsa_pkcs1_sha1, secp224r1
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
Change to
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
PowerChute Network Shutdown on Windows 64 bit OS the java.security file will be found in
C:\Program Files\APC\PowerChute\jre_x64\conf\security
PowerChute Network Shutdown 4.4.1 on Linux OS the java.security file will be found in
/opt/APC/PowerChute/jre-15.0.1/config/security if PowerChute has been installed to the default path.
Add the link DH keySize < 2048,
# Example:
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
include jdk.disabled.namedCurves
Add
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, DH keySize < 2048,\
include jdk.disabled.namedCurves
NOTE:
- If running an older version, upgrading to the latest and following the steps above is recommended.
- This issue was resolved with the release of PowerChute Business Edition Agent 10.0.5, PowerChute Serial Shutdown version 1, and PowerChute Network Shutdown 5
Udgivet til: Schneider Electric Danmark
Brug for hjælp?
Produktvælger
Find hurtigt og nemt de rette produkter og det rette tilbehør til dine anvendelser.
Få et tilbud
Start din salgsforespørgsel online, så vil du blive kontaktet af en ekspert.
Find forhandler
Find den nærmeste Schneider Electric-distributør.
Hjælpecenter
Find supportressourcer til alle dine behov på ét sted.
