1684332 – logging-es using cryptographically weak hashing algorithm.

Bug 1684332 - logging-es using cryptographically weak hashing algorithm.

Summary: logging-es using cryptographically weak hashing algorithm.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Logging
Sub Component:
Version:	3.9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	3.9.z
Assignee:	Jeff Cantrill
QA Contact:	Anping Li
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1685618 1686135
TreeView+	depends on / blocked

Reported:	2019-03-01 01:34 UTC by sfu@redhat.com
Modified:	2019-04-09 14:20 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: The SSL/TLS service uses Diffie-Hellman groups with insufficient strength (key size < 2048) Consequence: The keys are more vulnerable Fix: Increase the key strength Result: The certificates are more secure
Clone Of:
Clones:	1685618 (view as bug list)
Environment:
Last Closed:	2019-04-09 14:20:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift openshift-ansible pull 11315	0	None	closed	[release-3.9] bug 1685618. Modify default_md for logging cert generation	2020-09-09 07:35:56 UTC
Red Hat Product Errata	RHBA-2019:0619	0	None	None	None	2019-04-09 14:20:27 UTC

Description sfu@redhat.com 2019-03-01 01:34:31 UTC

Description of problem:
SSL/TLS: Certificate Signed Using A Weak Signature Algorithm


How reproducible:
Customer using Vulnerability scanning tool to get this issue report


Below is the details:
==============================================
Summary
The remote service is using a SSL/TLS certificate in the certificate chain that has been signed
using a cryptographically weak hashing algorithm.


Vulnerability Detection Result
The following certificates are part of the certificate chain but using insecure
,→signature algorithms:
Subject:
CN=logging-es,OU=OpenShift,O=Logging
Signature Algorithm: sha1WithRSAEncryption


Solution
Solution type: Mitigation
Servers that use SSL/TLS certificates signed with a weak SHA-1, MD5, MD4 or MD2 hashing
algorithm will need to obtain new SHA-2 signed SSL/TLS certificates to avoid web browser
SSL/TLS certificate warnings.


Vulnerability Insight
The following hashing algorithms used for signing SSL/TLS certificates are considered crypto-
graphically weak and not secure enough for ongoing use:
- Secure Hash Algorithm 1 (SHA-1)
- Message Digest 5 (MD5)
- Message Digest 4 (MD4)
- Message Digest 2 (MD2)
Beginning as late as January 2017 and as early as June 2016, browser developers such as Microsoft
and Google will begin warning users when visiting web sites that use SHA-1 signed Secure Socket
Layer (SSL) certificates.
NOTE: The script preference allows to set one or more custom SHA-1 fingerprints of CA certifi-
cates which are trusted by this routine. The fingerprints needs to be passed comma-separated
and case-insensitive:
Fingerprint1
or
fingerprint1,Fingerprint2


Vulnerability Detection Method
Check which hashing algorithm was used to sign the remote SSL/TLS certificate.
Details:SSL/TLS: Certificate Signed Using A Weak Signature Algorithm
OID:1.3.6.1.4.1.25623.1.0.105880
Version used: $Revision: 8810 $
==============================================

Comment 2 Anping Li 2019-03-25 09:42:10 UTC

verified the fix is in openshift-ansible:v3.9.74

Comment 4 errata-xmlrpc 2019-04-09 14:20:18 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0619

Note You need to log in before you can comment on or make changes to this bug.