I got below vulnerabilities for NodeManager service in Weblogic version 12.1.3.0.0 and JDK 1.8.0_101-b13
{ "port": 5556, "serviceName": "remotewatch?", "protocol": "tcp", "severity": 2, "pluginID": 42873, "pluginName": "SSL Medium Strength Cipher Suites Supported (SWEET32)", "pluginFamily": "General", "description": "The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.\n\nNote that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network.", "fname": "ssl_medium_supported_ciphers.nasl", "pluginModificationDate": "2019/02/28", "pluginType": "remote", "riskFactor": "Medium", "scriptVersion": "1.20", "solution": "Reconfigure the affected application if possible to avoid use of medium strength ciphers.", "synopsis": "The remote service supports the use of medium strength SSL ciphers.", "pluginOutput": "\n Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)\n\n EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 \n ECDHE-RSA-DES-CBC3-SHA Kx=ECDH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 \n DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 \n\nThe fields above are :\n\n {OpenSSL ciphername}\n Kx={key exchange}\n Au={authentication}\n Enc={symmetric encryption method}\n Mac={message authentication code}\n {export flag}\n", "cve": "CVE-2016-2183", "complianceCheckName": null, "complianceActualValue": null }
{ "port": 5556, "serviceName": "remotewatch?", "protocol": "tcp", "severity": 1, "pluginID": 83875, "pluginName": "SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)", "pluginFamily": "Misc.", "description": "The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. Through cryptanalysis, a third party may be able to find the shared secret in a short amount of time (depending on modulus size and attacker resources). This may allow an attacker to recover the plaintext or potentially violate the integrity of connections.", "fname": "ssl_logjam.nasl", "pluginModificationDate": "2019/11/27", "pluginType": "remote", "riskFactor": "Low", "scriptVersion": "1.24", "solution": "Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.", "synopsis": "The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits.", "pluginOutput": "\nVulnerable connection combinations :\n\n SSL/TLS version : TLSv1.0\n Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA\n Diffie-Hellman MODP size (bits) : 1024\n Warning - This is a known static Oakley Group2 modulus. This may make\n the remote host more vulnerable to the Logjam attack.\n Logjam attack difficulty : Hard (would require nation-state resources)\n\n SSL/TLS version : TLSv1.0\n Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA\n Diffie-Hellman MODP size (bits) : 1024\n Warning - This is a known static Oakley Group2 modulus. This may make\n the remote host more vulnerable to the Logjam attack.\n Logjam attack difficulty : Hard (would require nation-state resources)\n\n SSL/TLS version : TLSv1.0\n Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA\n Diffie-Hellman MODP size (bits) : 1024\n Warning - This is a known static Oakley Group2 modulus. This may make\n the remote host more vulnerable to the Logjam attack.\n Logjam attack difficulty : Hard (would require nation-state resources)\n\n SSL/TLS version : TLSv1.1\n Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA\n Diffie-Hellman MODP size (bits) : 1024\n Warning - This is a known static Oakley Group2 modulus. This may make\n the remote host more vulnerable to the Logjam attack.\n Logjam attack difficulty : Hard (would require nation-state resources)\n\n SSL/TLS version : TLSv1.1\n Cipher suite : TLS1_CK_DHE_RSA_WITH_3DES_EDE_CBC_SHA\n Diffie-Hellman MODP size (bits) : 1024\n Warning - This is a known static Oakley Group2 modulus. This may make\n the remote host more vulnerable to the Logjam attack.\n Logjam attack difficulty : Hard (would require nation-state resources)\n\n SSL/TLS version : TLSv1.1\n Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA\n Diffie-Hellman MODP size (bits) : 1024\n Warning - This is a known static Oakley Group2 modulus. This may make\n the remote host more vulnerable to the Logjam attack.\n Logjam attack difficulty : Hard (would require nation-state resources)\n", "cve": "CVE-2015-4000", "complianceCheckName": null, "complianceActualValue": null }
I have tried to add "-Djdk.tls.ephemeralDHKeySize=2048" in the NodeManager process, but it didn't help.
Any comments/suggestions?
Have you verified if your NM process reflects the new DH key size? Or you can try to edit lib/security/java.security for java 1.8 version and change the key size to 2048 instead.
Changing minimum key length for Diffie-Hellman