Details
By default docker UCP is configured to use TLS v1.2, if this setting is misconfigured, older protocols containing security weaknesses could be utilized. TLS requires a handshake between client and server which is where the TLS version utilized in the connection is negotiated. For DoD use cases, all TLS must be at version 1.2.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
This fix only applies to the UCP component of Docker Enterprise.
via CLI:
Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine that can communicate with the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.
AUTHTOKEN=$(curl -sk -d ‘{‘username’:'[ucp_username]’,’password’:'[ucp_password]’}’ https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H ‘Authorization: Bearer $AUTHTOKEN’ https://[ucp_url]/api/ucp/config-toml > ucp-config.toml
Open the ‘ucp-config.toml’ file under the ‘[cluster_config]’ section set ‘min_TLS_version = TLSv1.2’.
Save the file.
Execute the following commands to update UCP with the new configuration:
curl -sk -H ‘Authorization: Bearer $AUTHTOKEN’ –upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.
References
- 800-53|AC-17(2)
- CAT|II
- CCI|CCI-001453
- Rule-ID|SV-235874r627749_rule
- STIG-ID|DKER-EE-006280
- STIG-Legacy|SV-104923
- STIG-Legacy|V-95785
- Vuln-ID|V-235874