HP SIM TLS Session Renegotiation Vulnerability (1097 Views)
Reply
Occasional Contributor
Keith.Evans
Posts: 6
Registered: ‎04-21-2010
Message 1 of 3 (1,097 Views)

HP SIM TLS Session Renegotiation Vulnerability

[ Edited ]

I work as the security analyst focusing on server vulnerability management for the. We have 2 issues. I need to know what patch or what configuration I need to make to resolve identified vulnerabilities.

1st) HP Systems Management Homepage - Windows Systems 2003 - 2008
- Running on port 2381
o TLS Protocol Session Renegotiation

2nd) HP SIM 6.0 CRM - Windows 2008 R2
- Running on port 50,000
o TLS Protocol Session Renegotiation
o SSL Server Supports Weak Encryption

With the first two I need to be able to disable the TLS Session Renegotiation. With the second we need to disable the Weak Encryption (cipher suites) provide by the underlying SIM web server (tomcat).

The Microsoft TLS Protocol Session Renegotiation fix has been applied. This is fixed with MS KB Patch 977377 (http://www.microsoft.com/technet/security/advisory/977377.mspx).
At the operating system level in the SCHANNEL hive of the registry weak ciphers have been disabled, why is SIM disregarding this? Does SIM use OpenSSL and thus the OS level configuration does not apply?

I have sent this to an HP support rep, Walter Castillo, but have not heard from him in over a week (20100421).

 

 

P.S. This thread has been moved from Insight Remote Support > general to ITRC HP Systems Insight Manager Forum - Hp Forums moderator

Honored Contributor
Viktor Balogh
Posts: 1,007
Registered: ‎03-15-2009
Message 2 of 3 (1,097 Views)

Re: HP SIM TLS Session Renegotiation Vulnerability

For SIM: Look for the conf files of tomcat/SIM, I think the encryption level can be set there somewhere. Here is a doc to the topic:

http://www.hp.com/wwsolutions/misc/downloads/management/hpsim/HPSIM_Security_WP.pdf
****
Unix operates with beer.
Occasional Contributor
Keith.Evans
Posts: 6
Registered: ‎04-21-2010
Message 3 of 3 (1,097 Views)

Re: HP SIM TLS Session Renegotiation Vulnerability

Thank you Viktor, but that is too high level. I know that HP IHM supports SSLv3 and TLSv1, but I am looking for the specifics as to how HP is rememdiating the TLS Session Renegotiation issue. Most vendors have released updates to their management consoles which include updates the the underlying OpenSSL which disabled TLS Session Renegotiation. Do you know of a specific patch set or update, or configuration within that will resolve this. Again, thanks again, I greatly appreciate your reply. Keith
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.