weak ciphers-enabled vulnerability

38 views
Skip to first unread message

s.p...@gmail.com

unread,
Jun 2, 2021, 10:49:07 AMJun 2
to Jenkins Users
In our web scans, we are seeing weak ciphers-enabled vulnerability. 
example: Netsparker Enterprise detected that weak ciphers are enabled during
secure communication (SSL).
You should allow only strong ciphers on your webserver to protect
secure communication with your visitors.
List of Supported Weak Ciphers
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006B)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027)

I tried the remediation suggested in the following link and updated java. security file as below but no luck. The vulnerability keeps appearing. Am I missing anything? https://support.cloudbees.com/hc/en-us/articles/216526298-Disabling-Specific-Ciphers-In-Jenkins

jdk.tls.disabledAlgorithms=MD5,SSLv3,DSA, DESede,DES,3DES, RSA keySize < 2048, CBC, TLSv1, TLSv1.1, RC4,DES-CBC3-SHA keySize <256, 3DES_EDE_CBC,RC4,,MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, anon, NULL, \

Windows -2012R2 server
Jdk1.8.0_281 
Jenkins  url: https:<hostname>:8443

s.p...@gmail.com

unread,
Jun 16, 2021, 5:16:27 PMJun 16
to Jenkins Users
I was able to remediate the weak ciphers finding by updating jdk.tls.disabledAlgorithms as below:

jdk.tls.disabledAlgorithms=MD5,SSLv3,DSA, DESede,DES,3DES, RSA keySize < 2048, CBC, TLSv1, TLSv1.1, RC4, 3DES_EDE_CBC, RC4, MD5withRSA, DH keySize < 1024, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
    EC keySize < 224, anon, NULL, \

Reply all
Reply to author
Forward
0 new messages