Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WebApp Secure/Mykonos] WebApp Secure vulnerability to CVE-2015-2808

0

0

Article ID: KB30382 KB Last Updated: 28 Dec 2015Version: 1.0
Summary:

RC4-related ciphers need to be disabled on WebApp Secure devices to avoid the network exploitation vulnerability specific to CVE-2015-2808. This article is applicable to all versions of the product.

Symptoms:

CVE-2015-2808 is network exploitable when the RC4 algorithm is used in SSL and TLS protocols.

For more information, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2808.

Solution:

RC4 is used by default in WebApp Secure when SSL is enabled for SSL application configuration.

The following is the default string that is used by WebApp Secure:

EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+RC4:EDH
+aRSA:EECDH:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

As a workaround to the vulnerability for CVE-2015-2808, the following are the configuration and string that disable RC4-related ciphers:

[mykonos@JWAS ~]$ cli config
config>


config> set applications.APPNAME.ssl.ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+
SHA256:!EECDH+aRSA+RC4:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

To verify the cipher configuration:

config> show applications.APPNAME.ssl.ciphers
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+
SHA256:!EECDH+aRSA+RC4:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
config>

Note: Replace the "APPNAME" in the config syntax with relevant application names. If there are multiple SSL application names, run the command for all the SSL applications accordingly.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search