PDF(175.3 KB) View with Adobe Reader on a variety of devices
ePub(247.3 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(147.4 KB) View on Kindle device or Kindle app on multiple devices
Updated:September 25, 2017
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Week 64-bit encryptions have been found susceptible to an attack known as Sweet32. New versions of Nmap will include a check to see if any ciphers are enabled that are susceptible. Because of this, running the Nmap scan on the CCM displays this warning:
64-bit block cipher 3DES vulnerable to SWEET32 attack
64-bit block cipher IDEA vulnerable to SWEET32 attack
This issue is not directly related to CloudCenter, but the Tomcat server that cloudcenter uses. It should be noted that the Nmap scan does not state that the Virtual Machine (VM) is vulnerable to the attack, it merely states that it uses a cipher that is vulnerable. There are other variables that are required to be in place in order for this attack to succeed that Nmap does not test for.
A core ticket; CORE-15086 has been created with regards to this. The solution is still under process and version of OpenSSL 1.1.0+ is updated which in turn will patch the flaw.
Engineering has stated that the error message can be safely ignored, however, there is a workaround if needed.
Secure Shell (SSH) into the CCM.
Scroll down until you find the section that starts with <Connector port="10443".
The line that starts with SSLCipherSuite= lists the ciphers that are allowed and not allowed.
At the end of each of those lines add: !3DES:!IDEA
After you start Tomcat, 3DES and IDEA will no longer be used and so the Nmap scan will no longer report any warnings.
Note: This workaround has not been tested for compatibility and some users might no longer be able to connect to the CCM User Interface (UI). Users with Windows XP and those that run IE v8 might not be able to connect anymore. However, it has not been tested.