Enterprise Manager

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Oracle Agent and Sweet32 TCP Birthday error

Ben WagnerJul 31 2017 — edited Jul 31 2017

Hi, my Oracle Agents are mared as insecure from our internal Seurity department:

Vulnerability Details

Date: Fri 28 Jul 2017 13:09:00 MET

Vuln#: 2PQ038657

Vulnerability: Birthday attacks against TLS ciphers with 64bit block size vulnerability

(Sweet32)

ToDo: Disable and stop using DES and 3DES ciphers.

The following openssl commands can be used to do a manual test:

openssl s_client -connect ip:port -cipher 'DES:3DES' -ssl2 openssl s_client -connect

ip:port -cipher 'DES:3DES' -ssl3 openssl s_client -connect ip:port -cipher 'DES:3DES'

-tls1 openssl s_client -connect ip:port -cipher 'DES:3DES' -tls1_1 openssl s_client

-connect ip:port -cipher 'DES:3DES' -tls1_2

If any of these tests is successful, then the target is vulnerable to Sweet32.

Comment:

Counted in: 2017-09

Monitor:

ScannerOutput: Port: 3872/tcp

CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADE

TLSv1 WITH DES/3DES CIPHERs IS SUPPORTED

DES-CBC3-SHA RSA RSA SHA1 3DES(168) MEDIUM

TLSv1.1 WITH DES/3DES CIPHERs IS SUPPORTED

DES-CBC3-SHA RSA RSA SHA1 3DES(168) MEDIUM

TLSv1.2 WITH DES/3DES CIPHERs IS SUPPORTED

DES-CBC3-SHA RSA RSA SHA1 3DES(168) MEDIUM

CVE: id=CVE-2016-2183 url=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183

End of Vulnerability Details

How can I disable these insecure ciphers? the agent has the following version: 13.1.0.0.0

The installed Plugins has the Versions 13.1.1.0.0

Kind Regards

Ben

Locked Post

New comments cannot be posted to this locked post.

Locked on Aug 28 2017

Added on Jul 31 2017

1 comment

668 views