Server Management - Systems Insight Manager
1748061 Members
5647 Online
108758 Solutions
New Discussion юеВ

HP SIM TLS Session Renegotiation Vulnerability

 
Keith.Evans
Occasional Contributor

HP SIM TLS Session Renegotiation Vulnerability

I work as the security analyst focusing on server vulnerability management for the. We have 2 issues. I need to know what patch or what configuration I need to make to resolve identified vulnerabilities.

1st) HP Systems Management Homepage - Windows Systems 2003 - 2008
- Running on port 2381
o TLS Protocol Session Renegotiation

2nd) HP SIM 6.0 CRM - Windows 2008 R2
- Running on port 50,000
o TLS Protocol Session Renegotiation
o SSL Server Supports Weak Encryption

With the first two I need to be able to disable the TLS Session Renegotiation. With the second we need to disable the Weak Encryption (cipher suites) provide by the underlying SIM web server (tomcat).

The Microsoft TLS Protocol Session Renegotiation fix has been applied. This is fixed with MS KB Patch 977377 (http://www.microsoft.com/technet/security/advisory/977377.mspx).
At the operating system level in the SCHANNEL hive of the registry weak ciphers have been disabled, why is SIM disregarding this? Does SIM use OpenSSL and thus the OS level configuration does not apply?

I have sent this to an HP support rep, Walter Castillo, but have not heard from him in over a week (20100421).

 

 

P.S. This thread has been moved from Insight Remote Support > general to ITRC HP Systems Insight Manager Forum - Hp Forums moderator

2 REPLIES 2
Viktor Balogh
Honored Contributor

Re: HP SIM TLS Session Renegotiation Vulnerability

For SIM: Look for the conf files of tomcat/SIM, I think the encryption level can be set there somewhere. Here is a doc to the topic:

http://www.hp.com/wwsolutions/misc/downloads/management/hpsim/HPSIM_Security_WP.pdf
****
Unix operates with beer.
Keith.Evans
Occasional Contributor

Re: HP SIM TLS Session Renegotiation Vulnerability

Thank you Viktor, but that is too high level. I know that HP IHM supports SSLv3 and TLSv1, but I am looking for the specifics as to how HP is rememdiating the TLS Session Renegotiation issue. Most vendors have released updates to their management consoles which include updates the the underlying OpenSSL which disabled TLS Session Renegotiation. Do you know of a specific patch set or update, or configuration within that will resolve this. Again, thanks again, I greatly appreciate your reply. Keith