Spectrum Tomcat Cipher Vulnerabilities
Article ID: 190511
Updated On:
Products
CA Spectrum
Issue/Introduction
When running a security scan of a OneClick system, the following vulnerabilities may show up if tomcat is configured to use SSL and is using the out-of-box connector configuration:
ssl-anon-ciphers - TLS/SSL Server Supports Anonymous Cipher Suites with no Key Authentication
ssl-static-key-ciphers - TLS/SSL Server Supports The Use of Static Key Ciphers
ssl-null-ciphers - TLS/SSL Server Supports Null Cipher Algorithms
Environment
Release : 10.3.x
Component : Spectrum OneClick
Resolution
To resolve these vulnerabilities, please remove the following ciphers from the SSL connector section in the <SPECROOT>/tomcat/conf/server.xml file:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Save the file and then tomcat will need to be restarted for the changes to take effect.
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Save the file and then tomcat will need to be restarted for the changes to take effect.
Additional Information
If you have any additional questions related to the configuration, please contact Spectrum support.
Feedback
Yes
No
Powered by
