Learn how to use Enterprise Manager Maintenance Mode and what it is used for.
Tag: exacqVision Enterprise
Issue
Accessing our licensing server from Enterprise Manager on a restricted network will require an exception to the outbound firewall rules. Please add exacq.com and port 443 to the outbound firewall rules to open access.
<br>
Version Affected
All.
<br>
If your exacqVision Enterprise Manager is already using HTTPS as described in our Knowledge Base Article ‘How to Enable HTTPS for ESM’ you can make sure you are using strong ciphers and the most current ssl protocol using this document.
<br>
Locate and make the indicated changes to the file httpd-ssl.conf
<br>
Windows
C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\extra\httpd-ssl.conf
<br>
Linux
/usr/local/exacq/esm/apache_solr/apache2/conf/extra/httpd-ssl.conf
<br>
Find SSLCipherSuite and SSLProxyCipherSuite and make sure they match the following.
<br>
Find the SSL Protocol Support section and make sure the following is set as follows. Note, it may be possible to user TLSv1.3 but it has not been tested yet.
<br>
Verifying
To verify the endpoint is running as expected for your Enterprise Manager HTTPS site.
<br>
Run the following command from a Linux machine with openssl installed.
<br>
Note the output under SSL-Session.
<br>
Enabling-stronger-cipher-protocol-security-with-Enterprise-Manager.pdfTyco Security Solutions has confirmed a vulnerability in the exacqVision Enterprise System Manager (ESM) v5.12.2 application whereby unauthorized privilege escalation can be achieved and providing guidance on mitigation actions to avoid a potential exploit.
<br>
Scope: This vulnerability impacts exacqVision ESM v5.12.2 and all prior versions of ESM running on a Windows operating system (except Windows Server). This issue does not impact Linux deployments with permissions that are not inherited from the root directory.
<br>
Mitigation: The following mitigating steps are recommended for Windows 10 Desktop OS. Other versions of Windows may have different nomenclature, but the same mitigating steps are recommended.
<br>
Launch a command prompt with Administrator privileges, then run the following 4 commands sequentially:
- cacls C:\exacqVisionESM /e /R “Authenticated Users”
- cacls C:\exacqVisionESM\uninstall.exe /e /R “Authenticated Users”
- cacls C:\exacqVisionESM\EnterpriseSystemManager /e /T /R “Authenticated Users”
- cacls C:\exacqVisionESM\apache_solr /e /T /R “Authenticated Users”
<br>
Open the ‘Services’ applet and restart all of the following:
- ESMImporter
- ESMDatarolloff
- ESMSendemail
- ESMWebservice
- solrJetty
- solrApache
<br>
Fix: Tyco Security Solutions is working on a fix that will be incorporated into a future version of the exacqVision ESM that will not require the foregoing manual mitigation process to be executed.
<br>
References: CPP-PSA-2019-01 – Please visit the Tyco Security Solutions, Cyber Protection website to register for and download security advisories.
<br>
Modifying-ESM-Security-Access.pdf