How to resolve CVE-2016-2183, the SWEET32 Vulnerability

  • Document ID:7024780
  • Creation Date:14-Aug-2020
  • Modified Date:01-Sep-2020
    • Micro Focus Products:
      Verastream Host Integrator (VHI)

Environment

Verastream Host Integrator versions 7.5.70 through 7.8.49

Situation

This technical note describes how to resolve the SWEET32 Vulnerability, CVE-2016-2183.

Resolution

See https://nvd.nist.gov/vuln/detail/CVE-2016-2183 for a description of the SWEET32 vulnerability.

The SWEET32 vulnerability can be resolved by disabling the 3DES cipher still used by Verastream Host Integrator session server.  The only one used is TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA and it can be added to the disabledCipherSuites property in the file service-ctx.xml, which is found on Windows in <installDir>\Verastream\HostIntegrator\sesssrvr\services\ws\META-INF or on Unix/Linux in /opt/microfocus/verastream/hostintegrator/sesssrvr/services/ws/META-INF.

To add that cipher open service-ctx.xml in a text editor and find the property disabledCipherSuites.  This is a blacklist of ciphers.  Add TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA to the bottom of this list as shown below. 

<!-- HTTPS cipher suite blacklist -->
<property name="disabledCipherSuites">
       <list>
                <value>TLS_GREASE_5A</value>                  <!-- 0x5a5a -->
                <value>TLS_RSA_WITH_AES_256_GCM_SHA384</value>   <!-- 0x009d -->
                <value>TLS_RSA_WITH_AES_128_GCM_SHA256</value>   <!-- 0x009c -->
                <value>TLS_RSA_WITH_AES_256_CBC_SHA256</value>   <!-- 0x003d -->
                <value>TLS_RSA_WITH_AES_128_CBC_SHA256</value>   <!-- 0x003c -->
                <value>TLS_RSA_WITH_AES_256_CBC_SHA</value>         <!-- 0x0035 -->
                <value>TLS_RSA_WITH_AES_128_CBC_SHA</value>         <!-- 0x002f -->
                <value>TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA</value> <!-- 0x0013 -->
                <value>TLS_RSA_WITH_3DES_EDE_CBC_SHA</value>     <!-- 0x000a -->
                <value>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</value> <!-- Added for sweet32 -->
       </list>
</property>

Save the file and close it.

Restart the Verastream Host Integrator Session Server.

Status

Security Alert