Issue:
On 20th May 2015, several weaknesses in the Diffie-Hellman Key Exchange that could lead to security vulnerabilities in protocols such as HTTPS that rely on TLS 1.2 and earlier were published on the following website - https://weakdh.org/. This is known as the Logjam attack (CVE-2015-4000).
Products:
PowerChute Network Shutdown
Environment:
All Support OS
Cause:
V2.2.x – These versions support DHE_EXPORT cipher suites and are vulnerable.
V3.0.x – DHE_EXPORT cipher suites are blocked but they use a Diffie-Hellman prime of less than 2048-bits and are therefore vulnerable. The level of difficulty depends on the JRE version being used with PowerChute. Java 8 uses a default value of 1024-bits. Java 7 may use 768-bits or higher depending on the version.
V4.0.0 - DHE_EXPORT cipher suites are blocked but they use a Diffie-Hellman prime of less than 2048-bits and are therefore vulnerable. The level of difficulty depends on the JRE version being used with PowerChute. Java 8 uses a default value of 1024-bits. Java 7 may use 768-bits or higher depending on the version.
Solution:
PowerChute Network Shutdown
We recommend updating the version of PowerChute Network Shutdown to the latest version, v4.0.0, or updating the JRE version used by PowerChute to Java 8. For 32-bit Solaris OS, Java 7 must be used.
Once PowerChute has been configured to use Java 8 (Java 7 on Solaris x86):
On 20th May 2015, several weaknesses in the Diffie-Hellman Key Exchange that could lead to security vulnerabilities in protocols such as HTTPS that rely on TLS 1.2 and earlier were published on the following website - https://weakdh.org/. This is known as the Logjam attack (CVE-2015-4000).
Products:
PowerChute Network Shutdown
Environment:
All Support OS
Cause:
- Logjam attack against the TLS protocol: “The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.”
- Threats from State Adversaries: The use of pre-computed prime numbers that are 1024 bits in size or less in the Diffie-Helman key exchange can be exploited with varying levels of difficulty:
- 512-bit – An individual user can break this.
- 768-bit – University level resources required.
- 1024-bit – Nation-State level resources required.
V2.2.x – These versions support DHE_EXPORT cipher suites and are vulnerable.
V3.0.x – DHE_EXPORT cipher suites are blocked but they use a Diffie-Hellman prime of less than 2048-bits and are therefore vulnerable. The level of difficulty depends on the JRE version being used with PowerChute. Java 8 uses a default value of 1024-bits. Java 7 may use 768-bits or higher depending on the version.
V4.0.0 - DHE_EXPORT cipher suites are blocked but they use a Diffie-Hellman prime of less than 2048-bits and are therefore vulnerable. The level of difficulty depends on the JRE version being used with PowerChute. Java 8 uses a default value of 1024-bits. Java 7 may use 768-bits or higher depending on the version.
Solution:
PowerChute Network Shutdown
We recommend updating the version of PowerChute Network Shutdown to the latest version, v4.0.0, or updating the JRE version used by PowerChute to Java 8. For 32-bit Solaris OS, Java 7 must be used.
- V2.2.x – Install the 32-bit version of Java 8 from java.com on the machine running PowerChute. Re-run the PowerChute installer – v2.2.x will automatically detect and use Java 8.
- V3.0.x – Install the 32-bit version of Java 8 from java.com on the machine running PowerChute. Re-run the PowerChute installer and select the Public JRE option.
- V4.0.0 has Java 8 bundled as a private JRE.
Once PowerChute has been configured to use Java 8 (Java 7 on Solaris x86):
- Stop the PowerChute service.
- In the folder where Java is installed open “lib\security\java.security” using a text editor.
- Scroll to the end of the file and locate the line “jdk.tls.disabledAlgorithms=SSLv3” – set this to “jdk.tls.disabledAlgorithms=SSLv3,DH”
- Save the file and re-start the PowerChute service.
Released for:APC USA
