ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeffrey E Rodriguez (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-12393) Ambari Server is vulnerable to logjam
Date Sun, 12 Jul 2015 20:06:04 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-12393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jeffrey E  Rodriguez updated AMBARI-12393:
------------------------------------------
    Summary: Ambari Server is vulnerable to logjam  (was: Ambari Server is vulnerable to logjam
vulnerability)

> Ambari Server is vulnerable to logjam
> -------------------------------------
>
>                 Key: AMBARI-12393
>                 URL: https://issues.apache.org/jira/browse/AMBARI-12393
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.1.0
>         Environment: Red Hat Enterprise Linux Server release 6.6 
>            Reporter: Jeffrey E  Rodriguez
>            Priority: Critical
>             Fix For: 2.1.1
>
>
> All Ambari servers running in Jetty server as well as the Ambari server itself are vulnerable
to LogJam vulnerabiity.
> https://weakdh.org/
> Test setting up Ambari SSL.
> 1. create certificate 
> openssl genrsa -out $wserver.key 2048 
>  openssl req -new -key $wserver.key -out $wserver.csr  
>   openssl x509 -req -days 365 -in $wserver.csr -signkey $wserver.key -out $wserver.crt
> where #wscver is hostname of ambari server.
> 2. run ambari-server setup-security
> 3. Run openssl to check DH key lenght
> penssl s_client -connect bdvs1390.svl.ibm.com:8444 -cipher "EDH" | grep "Server Temp
Key"
> depth=0 C = US, ST = CA, L = San Jose, O = IBM, OU = BI, CN = sever.com, emailAddress
= test
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 C = US, ST = CA, L = San Jose, O = IBM, OU = BI, CN = server.com, emailAddress
= test
> verify return:1
> Server Temp Key: DH, 1024 bits
> Furthermore, some versions of Firefox would reject the certificate so Ambari server would
not be accessible from browser.
> Jira https://issues.apache.org/jira/browse/KNOX-566 has already been open for Knox.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message