Apache Update, RabbitMQ TLS Versions

cordm · ‎09-17-2020

We recently had a security audit that included a test of our SystemLink server. It turns out that the Apache server that is outdated (version 2.4.29) and has multiple security issues. I upgraded SystemLink to 2020 R3, but Apache was not upgraded. I am not sure how to rate those vulnerabilities or in what way the NI Webserver is different from Apache.

Additionally, the RabbitMQ/Cowboy server at port 5673 and 15672 was reported to allow weak encryption using TLS 1.0 and TLS 1.1 with weak ciphers. Since this is not an issue for Apache I was wondering if this is an issue in the configuration of the server?

Is there some action I can take to mitigate these vulnerabilities? Are those services used in a way that an exploit is unlikely?

MarkBlack · ‎09-22-2020

Hi cordm,

Thank you for escalating this concern.

Per the web server: We've identified a breakdown in our process that has prevented us from upgrading our web server more frequently. We have resolved this and I expect we'll ship an updated version of Apache httpd in our R4 release.

Per RabbitMQ: We've unforunately had to hold off upgrading this component due to legacy Windows 7 support. When we upgraded the version of RabbitMQ and TLS during development, SystemLink would crash on Windows 7 machines. Luckily our support for Windows 7 expires in 2021 and we intend on shipping an updated version of RabbitMQ in our first 2021 release.

Per mitigating concerns regarding the TLS version used by RabbitMQ, its best to make changes such that you no longer depend on AMQP. I would encourage you to move all your clients from AMQP to HTTP (I provided some rational in another thread) and disable the Enable AMQP Client Access flag in NI SystemLink Server Configuration > NI SystemLink Service Manager > Security.

Mark
NI App Software R&D

cordm · ‎01-11-2021

Thanks! SystemLink 2020 R4 was released in December and ships with apache 2.4.46.

Exile · ‎01-27-2021

Hello Mark;

We are still seeing a TLS 1.0 vulnerability after installing R4 and disabling AMQP. Is the only other option to wait for the RabbitMQ upgrade?

Thanks

Gordon

MarkBlack · ‎01-28-2021

Hi Gordon,

Thank you for escalating this concern. You are correct that version of RabbitMQ/Erlang shipping with SystemLink 2020R4 only supports TLS 1.0. We were prevented from upgrading this component sooner due to a cross-company requirement to support Windows 7 through 2020. Versions of RabbitMQ that support TLS 1.2 and 1.3 did not support Windows 7. Now that it is 2021 we are no longer constrained by this requirements, and we are upgrading to the latest version of RabbitMQ and Erlang to support TLS 1.2 and 1.3. This support will be delivered in our 2021R1 release expected this Spring.

Cheers,

Mark

Mark
NI App Software R&D

Exile · ‎01-28-2021

Thank you. We will install 2021 R1 as soon as it is available.

Gordon

MarkBlack · ‎02-10-2021

Hi Gordon,

With help from the development team we were able to verify that our current version of RabbitMQ can and does use TLS 1.2. Additionally we can adjust the configuration to disable older versions of TLS. This is likely why TLS 1.1 is showing up in your audit.

Open %programdata%/National Instruments/Skyline/RabbitMQ/rabbitmq.config
Modify the configuration as shown in this sceenshot

(Because this is hard to see I will also write out what you need to do.
1. Within the ssl_options array, add a new JSON object
  {versions, ['tlsv1.2', 'tlsv1.3']}
Save the file and restart SystemLink Service Manager from the SystemLink Server Configuration utility that is installed on your SystemLink app server.

Mark
NI App Software R&D

SystemLink Forum

Apache Update, RabbitMQ TLS Versions

Apache Update, RabbitMQ TLS Versions

Re: Apache Update, RabbitMQ TLS Versions

Re: Apache Update, RabbitMQ TLS Versions

Re: Apache Update, RabbitMQ TLS Versions

Re: Apache Update, RabbitMQ TLS Versions

Re: Apache Update, RabbitMQ TLS Versions

Re: Apache Update, RabbitMQ TLS Versions