Log Insight 2.5: No POODLE

There have been two major security vulnerabilities exposed this year that impacted most VMware products: ShellShock and POODLE. Log Insight addressed ShellShock by releasing a patch for Log Insight 1.5 GA, 2.0 GA, and 2.5 TP3 and newer. In Log Insight 2.5 GA the POODLE attack has also been mitigated. In short, SSLv3 has been disabled. To my knowledge, this is the first VMware product with a server-side fix against POODLE that does not require manual user intervention. Note previous versions of Log Insight have not been patched. If you wish to disable SSLv3 on previous versions of Log Insight, read on.


To disable SSLv3 on previous versions of Log Insight, SSH to the virtual appliance and edit /usr/lib/loginsight/application/etc/3rd_config/server.xml. Search for “XX_STRATA_HTTPS_PORT_XX” and you will find a section that looks like:

    <Connector port="XX_STRATA_HTTPS_PORT_XX" maxHttpHeaderSize="65536" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8" compression="1024"
               compressableMimeType ="text/html,text/xml,text/plain,text/css,text/javascript,application/json"
               keystoreFile="conf/keystore" keystorePass="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"/>

To this section, a protocols name/value pair needs to be added so the section looks like this:

    <Connector port="XX_STRATA_HTTPS_PORT_XX" maxHttpHeaderSize="65536" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8" compression="1024"
               protocols="TLSv1.2,TLSv1.1,TLSv1"
               compressableMimeType ="text/html,text/xml,text/plain,text/css,text/javascript,application/json"
               keystoreFile="conf/keystore" keystorePass="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"/>

Now just restart the Log Insight service (service loginsight restart) and you are all set. You can easily verify that SSLv3 is disabled by running a remote command from a system with openssl installed. If SSLv3 is enabled you will see:

$ openssl s_client -connect 192.168.1.25:443 -ssl3
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Palo Alto/O=VMware, Inc./OU=vCenter Log Insight/CN=VMware vCenter Log Insight
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=California/L=Palo Alto/O=VMware, Inc./OU=vCenter Log Insight/CN=VMware vCenter Log Insight
verify return:1
...

If SSLv3 is disabled you will see:

$ openssl s_client -connect 192.168.1.29:443 -ssl3
CONNECTED(00000003)
868:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/SourceCache/OpenSSL098/OpenSSL098-52/src/ssl/s3_pkt.c:290:

© 2014 – 2021, Steve Flanders. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top