WFM: Multiple vulnerabilities detected

Doc ID    SOLN305876
Version:    2.0
Status:    Published
Published date:    28 Feb 2019
Created Date:    06 Mar 2017
Author:   
Santhosh Kumar
 

Details

Version 12.0 and 12.x

Problem Clarification

 Multiple Vulnerabilities Detected:

1.       SSL Certificate Signed Using Weak Hashing Algorithm (CVE-2003-2761)
 
2.       SSL medium Strength Cipher Suites Supported(CVE-2017-3248)
 
3.       SSL Weak Strength Cipher Suites Supported
 
4.       SSL Version 2 and 3  Protocol Detection(20007)
 
5.       And many more attached in attachments

Cause

Certificates Expaired and also need few Security and Third Party updates to be upgraded.

Solution

 

Item #1)  Issue: CVE # CVE-2003-2761 - SSL Certificate Signed Using Weak Hashing Algorithm
a.)   Status:  Level– Medium 
b.)   Next ActionsCustomer’s PenTest solution is “Contact the Certificate Authority to have the certificate reissued”.  Avaya understands a new industry standard has come out requiring the retiring of SHA1 certificates for SSL.  In version 11 and below this will require an upgrade.  However in version 12, the developers have provided a method to handle SHA2.  This is not a break/fix issue as development of version 12.x began before this industry standard was implemented.  The options are to upgrade to v15x or purchase these services to update current V12 to be SHA2 compatible and re-apply the certificates.  See Certificate Renewal for write-up on those services.
Item #2)  Issue: CVE # CVE-2017-3248 - Description: SSL medium Strength Cipher Suites Supported
a.)   StatusLevel– Medium 
b.)   Next ActionsCustomer’s PenTest solution is “Reconfigure the affected application if possible to avoid use of medium strength ciphers.”  Validate that all the latest supported SSL protocols and cipher suite configurations, and SHA2 SSL certificates support.  Security and 3rd Party Update Kit.  (attached doc and updates on support.avaya.com)  We can discuss any questions during our call with the version details.  (Update Kit:  Addressed in Security and 3rd Party update doc)
Item #3)  Issue: CVE # 2017-3248 & Oracle WebLogic Java Object RMI Connect-Back Deserialization RCE (Jan 2017 CPU) (9680)
a.)   StatusLevel– Critical 
b.)   Next ActionsCustomer’s PenTest solution is “Apply the appropriate patch according to the Jan 2017 Oracle Critical Patch Update Advisory”  Validate that all the latest
Security and 3rd Party Update Kit.  (attached doc and updates on support.avaya.com)  We can discuss any questions during our call with the version details.
(Update Kit:  Addressed in Security and 3rd Party update doc)
 

Product Name
Version
WFO Security KBs
Includes the latest supported SSL protocols and cipher suite configurations, and SHA2 SSL certificates support
JAVA Runtime Environment for Servers (JRE)
1.6_131
Tomcat
6.0.47
Oracle WebLogic64-Bit Update
10.3.6
Oracle WebLogic64-Bit Minor Update
July 2016 PSU
OpenSSL
1.0.2h

 
Item #4)  Issue: SSL Weak Strength Cipher Suites Supported
a.)   StatusLevel– Update Info
b.)   Next ActionsCustomer’s PenTest solution is “Reconfigure the affected application if possible to avoid use of weak ciphers”.  Validate that all the latest
Security and 3rd Party Update Kit. (attached doc and updates on support.avaya.com)  We can discuss any questions during our call with the version details.
 

Product Name
Version
WFO Security KBs
Includes the latest supported SSL protocols and cipher suite configurations, and SHA2 SSL certificates support
JAVA Runtime Environment for Servers (JRE)
1.6_131
Tomcat
6.0.47
Oracle WebLogic 64-Bit Update
10.3.6
Oracle WebLogic 64-Bit Minor Update
July 2016 PSU
OpenSSL
1.0.2h

(Update Kit:  Addressed in Security and 3rd Party update doc)
 
Item #5)  Issue: SSL Version 2 and 3 Protocol Detection
a.)   StatusLevel– Medium
b.)   Next ActionsCustomer’s PenTest solution is “Consult the application’s documentation to disable SSL 2.0 and 3.0. Use TLS 1.1 (with approved cipher suites) or higher instead.  Provided doc on disabling SSLv3
Item #6)  Issue: SSLv3 Paddling Oracle On Downgraded Legacy Encryption Vulnerability (Poodle)
a.)   StatusLevel– Medium 
b.)   Next ActionsCustomer’s PenTest solution is “Disable SSLv3”   Provided doc on disabling SSLv3
 
Item #7)  Issue: SSL/TLS Export_RSA <= 512-bit Cipher Suites Supported (FREAK)
a.)   StatusLevel– Medium 
b.)   Next ActionsCustomer’s PenTest solution is “Reconfigure the service to remove support for Export_RSA cipher suites.  Validate that all the latest Security and 3rd Party Update Kit.  (attached doc and updates on support.avaya.com)  We can discuss any questions during our call with the version details.
(Update Kit:  Addressed in Security and 3rd Party update doc)
 

Product Name
Version
WFO Security KBs
Includes the latest supported SSL protocols and cipher suiteconfigurations, and SHA2 SSL certificates support
JAVA Runtime Environment for Servers (JRE)
1.6_131
Tomcat
6.0.47
Oracle WebLogic 64-Bit Update
10.3.6
Oracle WebLogic 64-Bit Minor Update
July 2016 PSU
OpenSSL
1.0.2h

Additional Relevant Phrases

Item 3. When connecting to WFO Application Server (Tomcat) a message ‘It works!’ is displayed If webserver is up but WFO Production process is still initialising (i.e. less than 2.5GB or so) it is possible to get this message when connecting to the APP server URL.

Avaya -- Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy