StarlingX

Security: SSL Medium Strength Ciphers (SWEET32) reported on kubernetes and docker ports

Bug #1869525 reported by Ghada Khalil on 2020-03-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Triaged	Low	Andy

Bug Description

Brief Description
-----------------
Nessus scan reports the following medium security finding:
SSL Medium Strength Ciphers (SWEET32): kubernetes and docker ports
This is reported on K8s port 6443 and docker port 9002 (docker registry token server).

Severity
--------
Major - security concern

Branch/Pull Time/Commit
-----------------------
Tested on stx master

Test Activity
-------------
Security Scan

Tags:

Ghada Khalil (gkhalil) on 2020-03-28

tags:

added: stx.security

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-04-01:

Would be nice to fix in stx.4.0 as this is a security concern

Changed in starlingx:
importance:	Undecided → Medium
status:	New → Triaged

Ghada Khalil (gkhalil) on 2020-04-03

tags:

added: stx.4.0

Ghada Khalil (gkhalil) on 2020-04-23

Changed in starlingx:
assignee:	nobody → Andy (andy.wrs)

Revision history for this message

Michel Thebeau [WIND] (mthebeau) wrote on 2020-04-29:

The nessus report text is:

42873 (4) - SSL Medium Strength Cipher Suites Supported (SWEET32)

(tcp/6443)

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

ECDHE-RSA-DES-CBC3-SHA Kx=ECDH Au=RSA Enc=3DES-CBC(168) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

(tcp/9002)

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

ECDHE-RSA-DES-CBC3-SHA Kx=ECDH Au=RSA Enc=3DES-CBC(168) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

Per our discussion, the kube-apiserver version at the time of report was v1.16.2

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-05-20:

Lowering the priority. This is a would-be-nice to fix, but doesn't strictly hold up stx.4.0

tags:	removed: stx.4.0
Changed in starlingx:
importance:	Medium → Low

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.