Are APM Enterprise Managers & WebView web servers vulnerable to the "Sweet 32" attack using DES and Triple DES (3DES) ciphers?

Document ID : KB000011682
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

Are APM Enterprise Manager & WebView web servers vulnerable to the "Sweet 32" attack using DES and Triple DES (3DES) ciphers?

CVE-2016-2183

Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN

 

Environment:
All supported APM Releases
Answer:

The Enterprise Manager (EM) or WebView jetty web servers use whatever ciphersuites are enabled in Java and out of the box DES & Triple DES (3DES) ciphers are not disabled.

 

To disable the ciphers, edit the java.security file for the EM JRE (EM_HOME/jre/lib/java.security) and disable the relevant algorithms e.g with Java 1.8 the default value of property jdk.tls.disabledAlgorithms only includes SSLv3 so to also disable DES & 3DES change the property to:

jdk.tls.disabledAlgorithms=SSLv3, DES, DESede

 

Additional Information: