Issue:
Security scan report "SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability" for port 6547 used by PowerChute.
Product Lines:
PowerChute Business Edition 10.0.1, 10.0.2, 10.0.3, 10.0.4
PowerChute Network Shutdown 4.4, 4,4,1, 4,4,2, 4,4,3
Environment:
All supported OS
Cause:
Week cipher suite
Solution:
Edit the java.security file and disallow DH cipher suite less than 2048
PowerChute Business Edition on Windows OS the java.security file will be found in
C:\Program Files (x86)\APC\PowerChute Business Edition\jre\conf\security if PowerChute has been installed to the default path.
PowerChute Business Edition on Linux OS the java.security file will be found in
/opt/APC/PowerChuteBusinessEdition/jre/config/security if PowerChute has been installed to the default path.
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
# rsa_pkcs1_sha1, secp224r1
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
Change to
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
PowerChute Network Shutdown on Windows 64 bit OS the java.security file will be found in
C:\Program Files\APC\PowerChute\jre_x64\conf\security
PowerChute Network Shutdown 4.4.1 on Linux OS the java.security file will be found in
/opt/APC/PowerChute/jre-15.0.1/config/security if PowerChute has been installed to the default path.
Add the link DH keySize < 2048,
# Example:
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
include jdk.disabled.namedCurves
Add
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, DH keySize < 2048,\
include jdk.disabled.namedCurves
NOTE:
Security scan report "SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability" for port 6547 used by PowerChute.
Product Lines:
PowerChute Business Edition 10.0.1, 10.0.2, 10.0.3, 10.0.4
PowerChute Network Shutdown 4.4, 4,4,1, 4,4,2, 4,4,3
Environment:
All supported OS
Cause:
Week cipher suite
Solution:
Edit the java.security file and disallow DH cipher suite less than 2048
PowerChute Business Edition on Windows OS the java.security file will be found in
C:\Program Files (x86)\APC\PowerChute Business Edition\jre\conf\security if PowerChute has been installed to the default path.
PowerChute Business Edition on Linux OS the java.security file will be found in
/opt/APC/PowerChuteBusinessEdition/jre/config/security if PowerChute has been installed to the default path.
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
# rsa_pkcs1_sha1, secp224r1
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
Change to
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
PowerChute Network Shutdown on Windows 64 bit OS the java.security file will be found in
C:\Program Files\APC\PowerChute\jre_x64\conf\security
PowerChute Network Shutdown 4.4.1 on Linux OS the java.security file will be found in
/opt/APC/PowerChute/jre-15.0.1/config/security if PowerChute has been installed to the default path.
Add the link DH keySize < 2048,
# Example:
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
include jdk.disabled.namedCurves
Add
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, DH keySize < 2048,\
include jdk.disabled.namedCurves
NOTE:
- If running an older version, upgrading to the latest and following the steps above is recommended.
- This issue was resolved with the release of PowerChute Business Edition Agent 10.0.5, PowerChute Serial Shutdown version 1, and PowerChute Network Shutdown 5
Released for: Schneider Electric Malaysia
Issue:
Security scan report "SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability" for port 6547 used by PowerChute.
Product Lines:
PowerChute Business Edition 10.0.1, 10.0.2, 10.0.3, 10.0.4
PowerChute Network Shutdown 4.4, 4,4,1, 4,4,2, 4,4,3
Environment:
All supported OS
Cause:
Week cipher suite
Solution:
Edit the java.security file and disallow DH cipher suite less than 2048
PowerChute Business Edition on Windows OS the java.security file will be found in
C:\Program Files (x86)\APC\PowerChute Business Edition\jre\conf\security if PowerChute has been installed to the default path.
PowerChute Business Edition on Linux OS the java.security file will be found in
/opt/APC/PowerChuteBusinessEdition/jre/config/security if PowerChute has been installed to the default path.
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
# rsa_pkcs1_sha1, secp224r1
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
Change to
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
PowerChute Network Shutdown on Windows 64 bit OS the java.security file will be found in
C:\Program Files\APC\PowerChute\jre_x64\conf\security
PowerChute Network Shutdown 4.4.1 on Linux OS the java.security file will be found in
/opt/APC/PowerChute/jre-15.0.1/config/security if PowerChute has been installed to the default path.
Add the link DH keySize < 2048,
# Example:
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
include jdk.disabled.namedCurves
Add
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, DH keySize < 2048,\
include jdk.disabled.namedCurves
NOTE:
Security scan report "SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability" for port 6547 used by PowerChute.
Product Lines:
PowerChute Business Edition 10.0.1, 10.0.2, 10.0.3, 10.0.4
PowerChute Network Shutdown 4.4, 4,4,1, 4,4,2, 4,4,3
Environment:
All supported OS
Cause:
Week cipher suite
Solution:
Edit the java.security file and disallow DH cipher suite less than 2048
PowerChute Business Edition on Windows OS the java.security file will be found in
C:\Program Files (x86)\APC\PowerChute Business Edition\jre\conf\security if PowerChute has been installed to the default path.
PowerChute Business Edition on Linux OS the java.security file will be found in
/opt/APC/PowerChuteBusinessEdition/jre/config/security if PowerChute has been installed to the default path.
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
# rsa_pkcs1_sha1, secp224r1
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
Change to
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
PowerChute Network Shutdown on Windows 64 bit OS the java.security file will be found in
C:\Program Files\APC\PowerChute\jre_x64\conf\security
PowerChute Network Shutdown 4.4.1 on Linux OS the java.security file will be found in
/opt/APC/PowerChute/jre-15.0.1/config/security if PowerChute has been installed to the default path.
Add the link DH keySize < 2048,
# Example:
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
include jdk.disabled.namedCurves
Add
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, DH keySize < 2048,\
include jdk.disabled.namedCurves
NOTE:
- If running an older version, upgrading to the latest and following the steps above is recommended.
- This issue was resolved with the release of PowerChute Business Edition Agent 10.0.5, PowerChute Serial Shutdown version 1, and PowerChute Network Shutdown 5
Released for: Schneider Electric Malaysia
Need help?
Product Selector
Quickly and easily find the right products and accessories for your applications.
Get a Quote
Start your sales enquiry online and an expert will connect with you.
Where to buy?
Easily find the nearest Schneider Electric distributor in your location.
Help Centre
Find support resources for all your needs, in one place.
