Weak cipher suite enabled on Build Cache Node
- Gradle Enterprise Build Cache Node < 12.5
Related CVE ID(s)
The Gradle Enterprise Build Cache Node uses OpenSSL, when available, in order to handle encrypted connections. When using OpenSSL, the Build Cache Node inadvertently included a cipher suite that would encrypt connections using Triple DES in CBC mode. CVE-2016-2183 allows remote attackers with access to the connection to access plaintext data via a birthday attack when the connection is encrypted using Triple DES in CBC. If the connection between the client and the server is long-lived, the short block size enables the attacker to look at large chunks of encrypted traffic over a single connection and eventually extract plaintext data from the encrypted traffic. This was demonstrated on other applications (not Gradle Enterprise) to be feasible after a 2 day connection that served 785 GB of traffic. As a result, the Build Cache Node is not exploitable as these types of long-lived connections don't exist in that service. As of Build Cache Node version 12.5 and Gradle Enterprise 2022.2.5, the vulnerable cipher suite is no longer considered when encrypting connections.
No mitigation is necessary, but upgrading the Build Cache Node to 12.5 and Gradle Enterprise to 2022.2.5 hardens installations to exclude a weak cipher suite.