You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by "Nate Cole (JIRA)" <ji...@apache.org> on 2015/08/26 22:49:06 UTC
[jira] [Updated] (AMBARI-12393) Ambari Server is vulnerable to
logjam
[ https://issues.apache.org/jira/browse/AMBARI-12393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nate Cole updated AMBARI-12393:
-------------------------------
Fix Version/s: (was: 2.1.1)
2.1.2
> Ambari Server is vulnerable to logjam
> -------------------------------------
>
> Key: AMBARI-12393
> URL: https://issues.apache.org/jira/browse/AMBARI-12393
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.1.0
> Environment: Red Hat Enterprise Linux Server release 6.6
> Reporter: Jeffrey E Rodriguez
> Priority: Critical
> Fix For: 2.1.2
>
>
> All Ambari servers running in Jetty server as well as the Ambari server itself are vulnerable to LogJam see details.
> https://weakdh.org/
> Test setting up Ambari SSL.
> 1. create certificate
> openssl genrsa -out $wserver.key 2048
> openssl req -new -key $wserver.key -out $wserver.csr
> openssl x509 -req -days 365 -in $wserver.csr -signkey $wserver.key -out $wserver.crt
> where #wscver is hostname of ambari server.
> 2. run ambari-server setup-security
> 3. Run openssl to check DH key lenght
> penssl s_client -connect bdvs1390.svl.ibm.com:8444 -cipher "EDH" | grep "Server Temp Key"
> depth=0 C = US, ST = CA, L = San Jose, O = IBM, OU = BI, CN = sever.com, emailAddress = test
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 C = US, ST = CA, L = San Jose, O = IBM, OU = BI, CN = server.com, emailAddress = test
> verify return:1
> Server Temp Key: DH, 1024 bits
> Furthermore, some versions of Firefox would reject the certificate so Ambari server would not be accessible from browser.
> Jira https://issues.apache.org/jira/browse/KNOX-566 has already been open for Knox.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)