Issue:
Security scan report "SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability" for port 6547 used by PowerChute.

Product Lines:
PowerChute Business Edition 10.0.1, 10.0.2, 10.0.3, 10.0.4
PowerChute Network Shutdown 4.4, 4,4,1, 4,4,2, 4,4,3

Environment:
All supported OS

Cause:
Week cipher suite

Solution:
Edit the java.security file and disallow DH cipher suite less than 2048

PowerChute Business Edition on Windows OS the java.security file will be found in
C:\Program Files (x86)\APC\PowerChute Business Edition\jre\conf\security if PowerChute has been installed to the default path.
PowerChute Business Edition on Linux OS the java.security file will be found in
/opt/APC/PowerChuteBusinessEdition/jre/config/security if PowerChute has been installed to the default path.

# Example:
#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
#       rsa_pkcs1_sha1, secp224r1
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves

Change to
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves


PowerChute Network Shutdown on Windows 64 bit OS the java.security file will be found in
C:\Program Files\APC\PowerChute\jre_x64\conf\security
PowerChute Network Shutdown 4.4.1 on Linux OS the java.security file will be found in
/opt/APC/PowerChute/jre-15.0.1/config/security if PowerChute has been installed to the default path.

Add the link DH keySize < 2048,
# Example:
#   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
include jdk.disabled.namedCurves

Add
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, DH keySize < 2048,\
include jdk.disabled.namedCurves

NOTE:

• If running an older version, upgrading to the latest and following the steps above is recommended.
• This issue was resolved with the release of PowerChute Business Edition Agent 10.0.5, PowerChute Serial Shutdown version 1,  and PowerChute Network Shutdown 5

Veröffentlicht für:Schneider Electric Deutschland

Issue:
Security scan report "SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability" for port 6547 used by PowerChute. 

Product Lines:
PowerChute Business Edition 10.0.1, 10.0.2, 10.0.3, 10.0.4
PowerChute Network Shutdown 4.4, 4,4,1, 4,4,2, 4,4,3 

Environment:
All supported OS

Cause:
Week cipher suite

Solution:
Edit the java.security file and disallow DH cipher suite less than 2048

PowerChute Business Edition on Windows OS the java.security file will be found in
C:\Program Files (x86)\APC\PowerChute Business Edition\jre\conf\security if PowerChute has been installed to the default path. 
PowerChute Business Edition on Linux OS the java.security file will be found in 
/opt/APC/PowerChuteBusinessEdition/jre/config/security if PowerChute has been installed to the default path. 

# Example:
#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
#       rsa_pkcs1_sha1, secp224r1
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

Change to 
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves


PowerChute Network Shutdown on Windows 64 bit OS the java.security file will be found in 
C:\Program Files\APC\PowerChute\jre_x64\conf\security
PowerChute Network Shutdown 4.4.1 on Linux OS the java.security file will be found in
/opt/APC/PowerChute/jre-15.0.1/config/security if PowerChute has been installed to the default path. 

Add the link DH keySize < 2048,
# Example:
#   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
    include jdk.disabled.namedCurves

Add
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, DH keySize < 2048,\
    include jdk.disabled.namedCurves

NOTE:

• If running an older version, upgrading to the latest and following the steps above is recommended. 
• This issue was resolved with the release of PowerChute Business Edition Agent 10.0.5, PowerChute Serial Shutdown version 1,  and PowerChute Network Shutdown 5

Veröffentlicht für:Schneider Electric Deutschland