Spectrum Tomcat Cipher Vulnerabilities
Article ID: 190511
When running a security scan of a OneClick system, the following vulnerabilities may show up if tomcat is configured to use SSL and is using the out-of-box connector configuration:
ssl-anon-ciphers - TLS/SSL Server Supports Anonymous Cipher Suites with no Key Authentication
ssl-static-key-ciphers - TLS/SSL Server Supports The Use of Static Key Ciphers
ssl-null-ciphers - TLS/SSL Server Supports Null Cipher Algorithms
Release : 10.3.x
Component : Spectrum OneClick
To resolve these vulnerabilities, please remove the following ciphers from the SSL connector section in the <SPECROOT>/tomcat/conf/server.xml file:
Save the file and then tomcat will need to be restarted for the changes to take effect.
If you have any additional questions related to the configuration, please contact Spectrum support.