Skip to main content

lacework-global-400

Load balancer allows weak SSL communication (Automated)

Description

Alert when a load balancer has a protocol configured as part its SSL policy that includes any version less than Transport Layer Security (TLS) 1.2. Older versions of TLS are risky and vulnerable to many types of attacks. Several standards, such as PCI-DSS and National Institute of Standards and Technology (NIST), strongly encourage the use of TLS 1.2.

Remediation

From Console:

  1. Login to OCI console.
  2. From the navigation menu, select Networking.
  3. Under Load Balancers, select Load Balancer.
  4. Click the name of a load balancer allowing weak SSL communication.
  5. Under Resources, click Backend sets or Listeners, depending on the source of the misconfiguration.
  6. Click the kebab menu next to an item in the table and click Edit.
  7. Click Show advanced options.
  8. Under TLS version, click the X next to any versions less than 1.2.
  9. Click Save changes.
  10. Click Close.
  11. Repeat steps 5-10 for any other misconfigured backend sets or listeners.

From CLI:

  1. Execute the following command to get a list of load balancers:

    oci lb load-balancer list --compartment-id <compartment_ocid>

  2. For each load balancer backend set, execute the following command to update the list of allowed protocols:

    oci lb backend-set update --backend-set-name <backend_set_name> --load-balancer-id <load_balancer_id> --policy <policy> --health-checker-protocol <protocol> --backends <backends> --ssl-certificate-name <ssl_certificate_name> --protocols '["TLSv1.2"]'

  3. When prompted, type 'y' and press 'Enter'.

  4. For each load balancer listener, execute the following command to update the list of allowed protocols:

    oci lb listener update --load-balancer-id <load_balancer_id> --listener-name <listener_name> --default-backend-set-name <backend_set_name> --port <port> --protocol <protocol> --ssl-certificate-name <ssl_certificate_name> --protocols '["TLSv1.2"]'

  5. When prompted, type 'y' and press 'Enter'.

References

https://docs.oracle.com/en-us/iaas/cloud-guard/using/detect-recipes.htm#detect-recipes-ref-config__LB_WEAK_SSL_COMMUNICATION
https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managinglisteners_topic-Editing_Listeners.htm
https://docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managingbackendsets_topic-Editing_Backend_Sets.htm
https://docs.oracle.com/en-us/iaas/tools/oci-cli/3.30.2/oci_cli_docs/cmdref/lb/listener/update.html
https://docs.oracle.com/en-us/iaas/tools/oci-cli/3.30.2/oci_cli_docs/cmdref/lb/backend-set/update.html

Last updated on