Operational Defect Database

BugZero updated this defect 38 days ago.

VMware | 95612

SSL Ciphers Vulnerable to SWEET32 used on VIO port 10250

Last update date:

4/11/2024

Affected products:

Integrated OpenStack

Integrated Openstack

Affected releases:

7.x

Fixed releases:

No fixed releases provided.

Description:

Symptoms

Your nessus scan reported cve-2016-2183 issue on VIO 7.2.x

Cause

VIO controllers missing configuration in kubelet service similar to VIO Manager.

Resolution

On each controller, edit /var/lib/kubelet/config.yaml tlsCipherSuites: - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 On each controller, edit /etc/systemd/system/kubelet.service.d/20-cloud.conf line with cipher-suites: -tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECD HE_RSA_WITH_AES_256_GCM_SHA384" After editing files on each controller you have to restart kubelet: systemctl daemon-reloadsystemctl restart kubelet And after changes to verify run command on each controller. ps -ef | grep tls-cipher-suites | more Note: This is what you must see on controllers when you run ;ps -ef; command: vioadmin@controller-cm2qchdg5c [ ~ ]$ ps -ef | grep tls-cipher-suites | more root 592 1 9 Oct24 ? 2-07:16:50 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet. conf --config=/var/lib/kubelet/config.yaml --cgroup-driver=cgroupfs --network-plugin=cni --pod-infra-container-image=vmware/pause:3.1 --resolv-conf=/run/systemd/resol ve/resolv.conf --node-ip=192.168.0.27 --cloud-provider=vsphere --node-labels=viomachineset=controller1,openstack-control-plane=enabled --feature-gates=StartupProbe=true --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_25 6_GCM_SHA384

Additional Resources / Links

Share:

BugZero® Risk Score

What's this?

Coming soon

Status

Unavailable

Learn More

Search:

...