Are APM Enterprise Managers & WebView web servers vulnerable to the "Sweet 32" attack using DES and Triple DES (3DES) ciphers?

Document ID : KB000011682

Last Modified Date : 14/02/2018

Question:

Are APM Enterprise Manager & WebView web servers vulnerable to the "Sweet 32" attack using DES and Triple DES (3DES) ciphers?

CVE-2016-2183

Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN

Environment:

All supported APM Releases

Answer:

The Enterprise Manager (EM) or WebView jetty web servers use whatever ciphersuites are enabled in Java and out of the box DES & Triple DES (3DES) ciphers are not disabled.

To disable the ciphers, edit the java.security file for the EM JRE (EM_HOME/jre/lib/java.security) and disable the relevant algorithms e.g with Java 1.8 the default value of property jdk.tls.disabledAlgorithms only includes SSLv3 so to also disable DES & 3DES change the property to:

jdk.tls.disabledAlgorithms=SSLv3, DES, DESede

Additional Information:

"Java Cryptography Architecture Oracle Providers Documentation for JDK 8" > "The SunJSSE Provider"

Was this information helpful?