Riverbed products affected by CVE-2015-4000 -- Logjam

Categories: SteelFusion, SteelCentral NPM, SteelCentral APM, SteelCentral (Cascade), Security, SteelHead, Riverbed Modeler
Solution Number: S26727

Issue

A vulnerability (CVE-2015-4000 aka Logjam) has been reported.  For more information on this vulnerability, please refer to the following:

Please note: To receive real-time updates on this article, please click the Subscribe icon in the upper right corner of this article. Updates will be emailed to you as they are published. For additional information on how to subscribe, see S22384.

Solution

Riverbed is actively working on identifying and resolving this CVE across all vulnerable products. As each product is updated, tested, and released, we will update this knowledge base article. Check back periodically to learn when updates to the products you use become available.

SteelHead | SteelCentral | SteelFusion | Web | Riverbed open source

In the lists below, products are grouped together when the same information applies to all products in the group. For example, in the SteelHead section, the bulleted statements apply to all of the product names listed above the statements.


SteelHead products

SteelHead CX (appliance, virtual, cloud)
SteelHead DX
SteelHead Interceptor
SteelCentral Controller for SteelHead
SteelCentral Controller for SteelHead Mobile
Riverbed Services Platform

  • RiOS 9.0.1 and higher, and 8.6.2c and higher, have EXP ciphers disabled by default and are NOT IMPACTED.
  • Earlier RiOS releases support EXP ciphers but the risk is LOW. For these releases, the risk can be mitigated with the following workaround:
    • Explicitly remove the DEFAULT and use HIGH security ciphers using either the CLI command 'protocol ssl backend <client/server> cipher-string' or the SSL advanced settings management GUI page.
       
  • SteelHead Interceptor 4.0.1 and higher is NOT IMPACTED.
  • SteelCentral Controller for SteelHead 8.5 and higher is NOT IMPACTED.
  • SteelCentral Controller for SteelHead Mobile 4.0.3 and higher is NOT IMPACTED.
  • For earlier releases of these products (SteelHead Interceptor, SteelHead Controller for SteelHead, and SteelCentral Controller for SteelHead Mobile), the risk is LOW and can be mitigated with following workaround:
    • Enable only HIGH security ciphers that doesn't include any EXP ciphers using the CLI command 'web ssl cipher HIGH:-aNULL:-kKRB5:-MD5'

Back to top


SteelCentral products

AirPcap driver
AppCapacity
AppMapper
AppSQL
Dashboards
Modeler
NetAuditor
NetPlanner

Packet Analyzer
Transaction Analyzer
WebAnalyzer
AppInternals
Flow Gateway

NetExpress

UCExpert

  • Under investigation 

Report Server

ReportServer 2.6.3 Build 711 and earlier releases support EXP and EDH (Diffie-Hellman) ciphers but the risk is LOW.  The risk can be mitigated with the following workaround:

  •  Modify $ \jakarta-tomcat-6\webapps\rs\WEB-INF\classes\lib\xml\res\ssl.res and add the following under the "cipherSuitesOverrides" property  

            <fs:simpProperty name="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 

  • Run the following command in the $ \jakarta-tomcat-6\bin\scripts: 
    • https_setup.bat /ciphers strong (Windows) 
    • https_setup.sh /ciphers strong (Linux)  ( Run this command as root)
  • Restart Report server services.  

NetCollector
NetSensor

NetCollector 18.0.3 Build 15717 and earlier releases support EXP and EDH (Diffie-Hellman) ciphers but the risk is LOW.
NetSensor (AppSensor Xpert) 2.0.1 Build 14310 and earlier releases support EXP and EDH (Diffie-Hellman) ciphers but the risk is LOW.  

The risk can be mitigated in these products with the following workaround:

  •  Modify $ \lib\xml\res\LiveUpdate_VNE.res and add the following under the "cipherSuitesOverrides" property

            <fs:simpProperty name="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA256">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 
            <fs:simpProperty name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA">&NDMS.SERVER.ENABLE.WEAK.CIPHERS;</fs:simpProperty> 

  • Run the following command in the $ : 
    • https_setup.bat /ciphers strong (Windows) 
    • https_setup.sh /cipher strong (Linux) 
  • Restart services.  

NOTE: The proprietary protocol used for secure communication between the NetSensor Test Engines and NetSensor 2.0  is impacted but the risk is LOW. This can be remediated by upgrading to the new version of both these software components, i.e. Test Engine 3.0.0 & NetSensor 3.0.0, when they are available.

NetProfiler

  • NOT IMPACTED as EXP ciphers are disabled by default.

NetShark versions 10.8.1 and higher

  • NOT IMPACTED as EXP ciphers are disabled by default and DH ciphers are not allowed.
    • This applies to the web interface/REST API/packet analyzer communication as well as MNMP communication with NetProfiler.
  • It is recommended that earlier versions of the software be upgraded to the latest one.

Portal
AppResponse

  • NOT IMPACTED as EXP ciphers are not supported.

Back to top


SteelFusion products

SteelHead EX
SteelFusion Edge
SteelFusionCore (physical and virtual)

  • SteelHead EX 3.6.1 and higher is NOT IMPACTED.
  • For all other releases of SteelHead EX and SteelFusion, the risk is LOW and can be mitigated with following workaround:
    • Enable only HIGH security ciphers that doesn't include any EXP ciphers using the CLI command 'web ssl cipher HIGH:-aNULL:-kKRB5:-MD5'

Back to top


Riverbed websites

  • Under investigation

Back to top


Riverbed open source

Wireshark
WinPcap
WinDump

  • Under investigation

Back to top

 

NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Last Modified: 2015-10-02
Can't find an answer? Create a case