Security scan report "SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability" for port 6547 used by PowerChute.
Issue:
Security scan report "SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability" for port 6547 used by PowerChute.
Product Lines:
PowerChute Business Edition 10.0.1, 10.0.2, 10.0.3, 10.0.4
PowerChute Network Shutdown 4.4, 4,4,1, 4,4,2, 4,4,3
Environment:
All supported OS
Cause:
Week cipher suite
Solution:
Edit the java.security file and disallow DH cipher suite less than 2048
PowerChute Business Edition on Windows OS the java.security file will be found in
C:\Program Files (x86)\APC\PowerChute Business Edition\jre\conf\security if PowerChute has been installed to the default path.
PowerChute Business Edition on Linux OS the java.security file will be found in
/opt/APC/PowerChuteBusinessEdition/jre/config/security if PowerChute has been installed to the default path.
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
# rsa_pkcs1_sha1, secp224r1
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
Change to
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
PowerChute Network Shutdown on Windows 64 bit OS the java.security file will be found in
C:\Program Files\APC\PowerChute\jre_x64\conf\security
PowerChute Network Shutdown 4.4.1 on Linux OS the java.security file will be found in
/opt/APC/PowerChute/jre-15.0.1/config/security if PowerChute has been installed to the default path.
Add the link DH keySize < 2048,
# Example:
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
include jdk.disabled.namedCurves
Add
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, DH keySize < 2048,\
include jdk.disabled.namedCurves
NOTE:
Security scan report "SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability" for port 6547 used by PowerChute.
Product Lines:
PowerChute Business Edition 10.0.1, 10.0.2, 10.0.3, 10.0.4
PowerChute Network Shutdown 4.4, 4,4,1, 4,4,2, 4,4,3
Environment:
All supported OS
Cause:
Week cipher suite
Solution:
Edit the java.security file and disallow DH cipher suite less than 2048
PowerChute Business Edition on Windows OS the java.security file will be found in
C:\Program Files (x86)\APC\PowerChute Business Edition\jre\conf\security if PowerChute has been installed to the default path.
PowerChute Business Edition on Linux OS the java.security file will be found in
/opt/APC/PowerChuteBusinessEdition/jre/config/security if PowerChute has been installed to the default path.
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
# rsa_pkcs1_sha1, secp224r1
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
Change to
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
PowerChute Network Shutdown on Windows 64 bit OS the java.security file will be found in
C:\Program Files\APC\PowerChute\jre_x64\conf\security
PowerChute Network Shutdown 4.4.1 on Linux OS the java.security file will be found in
/opt/APC/PowerChute/jre-15.0.1/config/security if PowerChute has been installed to the default path.
Add the link DH keySize < 2048,
# Example:
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
include jdk.disabled.namedCurves
Add
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, DH keySize < 2048,\
include jdk.disabled.namedCurves
NOTE:
- If running an older version, upgrading to the latest and following the steps above is recommended.
- This issue was resolved with the release of PowerChute Business Edition Agent 10.0.5, PowerChute Serial Shutdown version 1, and PowerChute Network Shutdown 5
פורסם עבור: שניידר אלקטריק ישראל
זקוק לעזרה?
בורר מוצרים
חפשו ברשת מפיצים מאומתים עם יותר מ-15,000 נקודות מכירה ברחבי העולם.
קבלת הצעת מחיר
התחילו את בקשת הקניה בצורה מקוונת ונציג מכירות ייצור עמכם קשר.
היכן לקנות?
אתר בקלות את מפיץ Schneider Electric הקרוב ביותר אליך.
מרכז העזרה
חפשו משאבי תמיכה לכל הצרכים שלכם במקום אחד.