Riverbed products affected by CVE-2015-4000 -- Logjam

Solution Number:
S26727
Last Modified:
2018-01-17
Issue

 

A vulnerability (CVE-2015-4000 aka Logjam) has been reported.  For more information on this vulnerability, please refer to the following:

Please note: To receive real-time updates on this article, please click the Subscribe icon in the upper right corner of this article. Updates will be emailed to you as they are published. For additional information on how to subscribe, see S22384.

Solution

Riverbed is actively working on identifying and resolving this CVE across all vulnerable products. As each product is updated, tested, and released, we will update this knowledge base article. Check back periodically to learn when updates to the products you use become available.

SteelHead | SteelCentral | SteelFusion 

In the lists below, products are grouped together when the same information applies to all products in the group. For example, in the SteelHead section, the bulleted statements apply to all of the product names listed above the statements.


SteelHead products

SteelHead CX (appliance, virtual, cloud)
SteelHead DX
SteelHead Interceptor
SteelCentral Controller for SteelHead
SteelCentral Controller for SteelHead Mobile
Riverbed Services Platform

  • RiOS 9.0.1 and higher, and 8.6.2c and higher, have EXP ciphers disabled by default and are NOT IMPACTED.
  • Earlier RiOS releases support EXP ciphers but the risk is LOW. For these releases, the risk can be mitigated with the following workaround:
    • Explicitly remove the DEFAULT and use HIGH security ciphers using either the SSL advanced settings management GUI page or the CLI:

      steelhead (config) # show protocol ssl backend client cipher-string
        # Cipher String/Suite Name
      --- ------------------------------
        1 DEFAULT

      steelhead (config) # protocol ssl backend client cipher-string HIGH
      Cipher string "HIGH" added at 2.
        
      steelhead (config) # show protocol ssl backend client cipher-string
        # Cipher String/Suite Name
      --- ------------------------------
        1 DEFAULT
        2 HIGH
        
      steelhead (config) # no protocol ssl backend client cipher-num 1

      steelhead (config) # show protocol ssl backend client cipher-strings
        # Cipher String/Suite Name
      --- ------------------------------
        1 HIGH

      Do the same for 'protocol ssl backend server'.
  • SteelHead Interceptor 4.0.1 and higher is NOT IMPACTED.
  • SteelCentral Controller for SteelHead 8.5 and higher is NOT IMPACTED.
  • SteelCentral Controller for SteelHead Mobile 4.0.3 and higher is NOT IMPACTED.
  • For earlier releases of these products (SteelHead Interceptor, SteelHead Controller for SteelHead, and SteelCentral Controller for SteelHead Mobile), the risk is LOW and can be mitigated with following workaround:
    • Enable only HIGH security ciphers that doesn't include any EXP ciphers using the CLI command 'web ssl cipher HIGH:-aNULL:-kKRB5:-MD5'

Back to top


SteelCentral products

Product Status Fixed Release (expected release date)
NetCollector <=18.0.3 >18.0.3
NetSensor <=2.0.1 >2.0.1
NetShark <10.8.1 10.8.1
Report Server <=2.6.3 >2.6.3


AirPcap driver
AppMapper

AppSQL
Dashboards

Modeler
NetAuditor
NetPlanner

Packet Analyzer
Transaction Analyzer
WebAnalyzer
AppInternals
Flow Gateway
NetExpress
UCExpert

  • Under investigation 

Report Server

ReportServer 2.6.3 Build 711 and earlier releases support EXP and EDH (Diffie-Hellman) ciphers but the risk is LOW.  The risk can be mitigated with the following workaround:

  •  Modify $ \jakarta-tomcat-6\webapps\rs\WEB-INF\classes\lib\xml\res\ssl.res and add the following under the "cipherSuitesOverrides" property  

            <fs:simpProperty name="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 

  • Run the following command in the $ \jakarta-tomcat-6\bin\scripts: 
    • https_setup.bat /ciphers strong (Windows) 
    • https_setup.sh /ciphers strong (Linux)  ( Run this command as root)
  • Restart Report server services.  

NetCollector
NetSensor

NetCollector 18.0.3 Build 15717 and earlier releases support EXP and EDH (Diffie-Hellman) ciphers but the risk is LOW.
NetSensor (AppSensor Xpert) 2.0.1 Build 14310 and earlier releases support EXP and EDH (Diffie-Hellman) ciphers but the risk is LOW.  

The risk can be mitigated in these products with the following workaround:

  •  Modify $ \lib\xml\res\LiveUpdate_VNE.res and add the following under the "cipherSuitesOverrides" property

            <fs:simpProperty name="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 

  • Run the following command in the $ : 
    • https_setup.bat /ciphers strong (Windows) 
    • https_setup.sh /cipher strong (Linux) 
  • Restart services.  

NOTE: The proprietary protocol used for secure communication between the NetSensor Test Engines and NetSensor 2.0  is impacted but the risk is LOW. This can be remediated by upgrading to the new version of both these software components, i.e. Test Engine 3.0.0 & NetSensor 3.0.0, when they are available.

NetProfiler

  • NOT IMPACTED as EXP ciphers are disabled by default.

NetShark versions 10.8.1 and higher

  • NOT IMPACTED as EXP ciphers are disabled by default and DH ciphers are not allowed.
    • This applies to the web interface/REST API/packet analyzer communication as well as MNMP communication with NetProfiler.
  • It is recommended that earlier versions of the software be upgraded to the latest one.

Portal
AppResponse

  • NOT IMPACTED as EXP ciphers are not supported.

Back to top


SteelFusion products

SteelHead EX
SteelFusion Edge
SteelFusionCore (physical and virtual)

  • SteelHead EX 3.6.1 and higher is NOT IMPACTED.
  • For all other releases of SteelHead EX and SteelFusion, the risk is LOW and can be mitigated with following workaround:
    • Enable only HIGH security ciphers that doesn't include any EXP ciphers using the CLI command 'web ssl cipher HIGH:-aNULL:-kKRB5:-MD5'

Back to top

 

 

Attachments
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Can't find an answer? Create a case