[jira] [Created] (AMBARI-12393) Ambari Server is vulnerable to logjam vulnerability

Jeffrey E Rodriguez (JIRA) Sun, 12 Jul 2015 13:05:55 -0700

Jeffrey E  Rodriguez created AMBARI-12393:
---------------------------------------------


             Summary: Ambari Server is vulnerable to logjam vulnerability
                 Key: AMBARI-12393
                 URL: https://issues.apache.org/jira/browse/AMBARI-12393
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: 2.1.0
         Environment: Red Hat Enterprise Linux Server release 6.6 
            Reporter: Jeffrey E  Rodriguez
            Priority: Critical
             Fix For: 2.1.1


All Ambari servers running in Jetty server as well as the Ambari server itself 
are vulnerable to LogJam vulnerabiity.
https://weakdh.org/
Test setting up Ambari SSL.
1. create certificate 
openssl genrsa -out $wserver.key 2048 
 openssl req -new -key $wserver.key -out $wserver.csr  
  openssl x509 -req -days 365 -in $wserver.csr -signkey $wserver.key -out 
$wserver.crt
where #wscver is hostname of ambari server.

2. run ambari-server setup-security

3. Run openssl to check DH key lenght
penssl s_client -connect bdvs1390.svl.ibm.com:8444 -cipher "EDH" | grep "Server 
Temp Key"
depth=0 C = US, ST = CA, L = San Jose, O = IBM, OU = BI, CN = sever.com, 
emailAddress = test
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = CA, L = San Jose, O = IBM, OU = BI, CN = server.com, 
emailAddress = test
verify return:1
Server Temp Key: DH, 1024 bits

Furthermore, some versions of Firefox would reject the certificate so Ambari 
server would not be accessible from browser.

Jira https://issues.apache.org/jira/browse/KNOX-566 has already been open for 
Knox.








--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (AMBARI-12393) Ambari Server is vulnerable to logjam vulnerability

Reply via email to