Qualis team found a vulnerability with our glassfish with port no 3920 .
glassfish version :- glassfish-3.1.2.2
Port no :- 3920,3820
Below are the details from Qualis
Messages encrypted with LOW encryption ciphers are easy to decrypt.
Commercial SSL servers should only support MEDIUM or HIGH strength
ciphers to guarantee transaction security.Impact :- An attacker can exploit this vulnerability to decrypt secure
communications without authorization.Let us know , how to fix this vulnerability for port 3920 and 3820 in Glassfish-3.1.2.2 .
Answer
The SSL/TLS standards don’t mandate a single specific encryption cipher, but allow the client and the server to negotiate to select one they both support.
To improve interoperability most server implementations support – by default – the largest possible range of ciphers, including some which are now considered weak (e.g. RC4). That’s what triggers Qualis.
In your Glassfish server you can override the defaults and restrict the list of supported encryption ciphers in the configuration. Check the create-ssl directive and set for instance:
create-ssl --ssl2enabled=false --ssl3enabled=true --tlsenabled=true ....
Attribution
Source : Link , Question Author : user1726453 , Answer Author : HBruijn
