LogJam vulnerability (2015)

Document created by mike_aronson Employee on Aug 10, 2015Last modified by mike_aronson Employee on Mar 20, 2017
Version 4Show Document
  • View in full screen mode
The LOGJAM vulnerability is a man-in-the-middle (MITM) type attack which could impact servers and clients.

 

It is based on two potential weaknesses:
1. the use of export ciphers and
2. the use of "small" DH keys.

 

The Dell Boomi team has analyzed the LogJam client and server vulnerability with the following results and recommendations:

Regarding the use of export ciphers, all versions of java that Boomi supports have export ciphers disabled by default.

The small DH key sizes is an issue which has java version specific mitigations:


In java 6 and 7, the DH key size cannot be changed, so the only way to mitigate the issue is to disable all ssl ciphers which include the string "_DHE_" in them.   You can make this change by following
the guidance at this link:

 

http://help.boomi.com/atomsphere/GUID-6223FDE0-E5E7-4FA9-81EB-AD058B93C4E6.html

 

Note that this decision should be tested against all potential clients to ensure that they can still connect successfully.

in java 8, the DH key size can be changed to a secure value and therefore the affected ciphers can be safely used. per

https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys , this system property setting should be added to the atom.vmoptions file and restart the atom:


-Djdk.tls.ephemeralDHKeySize=2048


Dell Boomi Platform and Cloud Hosted Servers -
Dell Boomi has analyzed our servers and has determined that none of our external facing servers are vulnerable to the LOGJAM vulnerability.

All of our sites operate on TLS1.0 and TLS1.2.  SSLv3 has been disabled on all of our sites.

Also, Dell Boomi does not enable DHE_EXPORT cipher suites.

Clients (Web browsers)
Customers are recommended to update to the latest supported web browsers.
Follow recommendations at https://weakdh.org/sysadmin.html. Use the test on that URL to determine if you are vulnerable.

Disable support for SSLv2 and SSLv3 and enable support for TLS.

Clients (Atoms):

In Java 6 and 7, exclude  all ssl ciphers which include the string "_DHE_" in them per the guidance at this link:

http://help.boomi.com/atomsphere/GUID-6223FDE0-E5E7-4FA9-81EB-AD058B93C4E6.html

In java 8, the DH key size can be changed to a secure value and therefore the affected ciphers can be safely used. per https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys , this system property setting should be added to the atom.vmoptions file and restart the atom:

-Djdk.tls.ephemeralDHKeySize=2048

Summary

Dell Boomi platform and cloud servers are not vulnerable.

Customer managed atoms/servers should be at TLS1.0 or above and not accepting weak ciphers. Customers should always use the latest web browsers.

Attachments

    Outcomes