Neo4j version: 4.0.4
Vulnerability: TLS ROBOT Vulnerability Detected
Qualsys ID: 38695
Diagonosis: The TLS vulnerability is also known as Return of Bleichenbacher's Oracle Threat (ROBOT). ROBOT allows an attacker to obtain the RSA key necessary to decrypt TLS traffic under certain conditions. To detect this the vulnerable ciphers should be disabled.
Consequence: An attacker could exploit this vulnerability by sending crafted TLS messages to the device, which would act as an oracle and allow the attacker to carry out a chosen-ciphertext attack.
The above mentioned vulnerability was reported by information security team and they want us to remediate this. On doing some research, I found that Neo4j make implicit use of ciphers that are included as part of the Java platform. I would like to know how can we disable the ciphers at JDK level? Or is there any other way of disabling the ciphers from Neo4j?
