Riverbed is actively working on identifying and resolving this CVE across all vulnerable products. As each product is updated, tested, and released, we will update this knowledge base article. Check back periodically to learn when updates to the products you use become available.
SteelHead | SteelCentral | SteelFusion
In the lists below, products are grouped together when the same information applies to all products in the group. For example, in the SteelHead section, the bulleted statements apply to all of the product names listed above the statements.
SteelHead products
SteelHead CX (appliance, virtual, cloud)
SteelHead DX
SteelHead Interceptor
SteelCentral Controller for SteelHead
SteelCentral Controller for SteelHead Mobile
Riverbed Services Platform
- RiOS 9.0.1 and higher, and 8.6.2c and higher, have EXP ciphers disabled by default and are NOT IMPACTED.
- Earlier RiOS releases support EXP ciphers but the risk is LOW. For these releases, the risk can be mitigated with the following workaround:
- SteelHead Interceptor 4.0.1 and higher is NOT IMPACTED.
- SteelCentral Controller for SteelHead 8.5 and higher is NOT IMPACTED.
- SteelCentral Controller for SteelHead Mobile 4.0.3 and higher is NOT IMPACTED.
- For earlier releases of these products (SteelHead Interceptor, SteelHead Controller for SteelHead, and SteelCentral Controller for SteelHead Mobile), the risk is LOW and can be mitigated with following workaround:
- Enable only HIGH security ciphers that doesn't include any EXP ciphers using the CLI command 'web ssl cipher HIGH:-aNULL:-kKRB5:-MD5'
Back to top
SteelCentral products
Product |
Status |
Fixed Release (expected release date) |
NetCollector |
<=18.0.3 |
>18.0.3 |
NetSensor |
<=2.0.1 |
>2.0.1 |
NetShark |
<10.8.1 |
10.8.1 |
Report Server |
<=2.6.3 |
>2.6.3 |
AirPcap driver
AppMapper
AppSQL
Dashboards
Modeler
NetAuditor
NetPlanner
Packet Analyzer
Transaction Analyzer
WebAnalyzer
AppInternals
Flow Gateway
NetExpress
UCExpert
Report Server
ReportServer 2.6.3 Build 711 and earlier releases support EXP and EDH (Diffie-Hellman) ciphers but the risk is LOW. The risk can be mitigated with the following workaround:
- Modify $ \jakarta-tomcat-6\webapps\rs\WEB-INF\classes\lib\xml\res\ssl.res and add the following under the "cipherSuitesOverrides" property
<fs:simpProperty name="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
- Run the following command in the $ \jakarta-tomcat-6\bin\scripts:
- https_setup.bat /ciphers strong (Windows)
- https_setup.sh /ciphers strong (Linux) ( Run this command as root)
- Restart Report server services.
NetCollector
NetSensor
NetCollector 18.0.3 Build 15717 and earlier releases support EXP and EDH (Diffie-Hellman) ciphers but the risk is LOW.
NetSensor (AppSensor Xpert) 2.0.1 Build 14310 and earlier releases support EXP and EDH (Diffie-Hellman) ciphers but the risk is LOW.
The risk can be mitigated in these products with the following workaround:
- Modify $ \lib\xml\res\LiveUpdate_VNE.res and add the following under the "cipherSuitesOverrides" property
<fs:simpProperty name="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
<fs:simpProperty name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty>
- Run the following command in the $ :
- https_setup.bat /ciphers strong (Windows)
- https_setup.sh /cipher strong (Linux)
NOTE: The proprietary protocol used for secure communication between the NetSensor Test Engines and NetSensor 2.0 is impacted but the risk is LOW. This can be remediated by upgrading to the new version of both these software components, i.e. Test Engine 3.0.0 & NetSensor 3.0.0, when they are available.
NetProfiler
- NOT IMPACTED as EXP ciphers are disabled by default.
NetShark versions 10.8.1 and higher
- NOT IMPACTED as EXP ciphers are disabled by default and DH ciphers are not allowed.
- This applies to the web interface/REST API/packet analyzer communication as well as MNMP communication with NetProfiler.
- It is recommended that earlier versions of the software be upgraded to the latest one.
Portal
AppResponse
- NOT IMPACTED as EXP ciphers are not supported.
Back to top
SteelFusion products
SteelHead EX
SteelFusion Edge
SteelFusionCore (physical and virtual)
- SteelHead EX 3.6.1 and higher is NOT IMPACTED.
- For all other releases of SteelHead EX and SteelFusion, the risk is LOW and can be mitigated with following workaround:
- Enable only HIGH security ciphers that doesn't include any EXP ciphers using the CLI command 'web ssl cipher HIGH:-aNULL:-kKRB5:-MD5'
Back to top