HPE Community
Server Management - Systems Insight Manager
1822736 Members
3819 Online
109644 Solutions
New Discussion юеВ

HP SIM TLS Session Renegotiation Vulnerability

 
Keith.Evans
Occasional Contributor

тАО04-28-2010 08:30 AM - last edited on тАО01-13-2013 07:11 PM by

тАО04-28-2010 08:30 AM - last edited on тАО01-13-2013 07:11 PM by

HP SIM TLS Session Renegotiation Vulnerability

I work as the security analyst focusing on server vulnerability management for the. We have 2 issues. I need to know what patch or what configuration I need to make to resolve identified vulnerabilities.

1st) HP Systems Management Homepage - Windows Systems 2003 - 2008
- Running on port 2381
o TLS Protocol Session Renegotiation

2nd) HP SIM 6.0 CRM - Windows 2008 R2
- Running on port 50,000
o TLS Protocol Session Renegotiation
o SSL Server Supports Weak Encryption

With the first two I need to be able to disable the TLS Session Renegotiation. With the second we need to disable the Weak Encryption (cipher suites) provide by the underlying SIM web server (tomcat).

The Microsoft TLS Protocol Session Renegotiation fix has been applied. This is fixed with MS KB Patch 977377 (http://www.microsoft.com/technet/security/advisory/977377.mspx).
At the operating system level in the SCHANNEL hive of the registry weak ciphers have been disabled, why is SIM disregarding this? Does SIM use OpenSSL and thus the OS level configuration does not apply?

I have sent this to an HP support rep, Walter Castillo, but have not heard from him in over a week (20100421).

 

 

P.S. This thread has been moved from Insight Remote Support > general to ITRC HP Systems Insight Manager Forum - Hp Forums moderator

0 Kudos
Reply
2 REPLIES 2
Viktor Balogh
Honored Contributor

тАО04-29-2010 02:36 AM

тАО04-29-2010 02:36 AM

Re: HP SIM TLS Session Renegotiation Vulnerability

For SIM: Look for the conf files of tomcat/SIM, I think the encryption level can be set there somewhere. Here is a doc to the topic:

http://www.hp.com/wwsolutions/misc/downloads/management/hpsim/HPSIM_Security_WP.pdf
****
Unix operates with beer.
0 Kudos
Reply
Keith.Evans
Occasional Contributor

тАО05-03-2010 11:00 AM

тАО05-03-2010 11:00 AM

Re: HP SIM TLS Session Renegotiation Vulnerability

Thank you Viktor, but that is too high level. I know that HP IHM supports SSLv3 and TLSv1, but I am looking for the specifics as to how HP is rememdiating the TLS Session Renegotiation issue. Most vendors have released updates to their management consoles which include updates the the underlying OpenSSL which disabled TLS Session Renegotiation. Do you know of a specific patch set or update, or configuration within that will resolve this. Again, thanks again, I greatly appreciate your reply. Keith
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.