Spectrum Tomcat Cipher Vulnerabilities
Article ID: 190511
Updated On:
Products
Issue/Introduction
When running a security scan of a OneClick system, the following vulnerabilities may show up if tomcat is configured to use SSL and is using the out-of-box connector configuration:
ssl-anon-ciphers - TLS/SSL Server Supports Anonymous Cipher Suites with no Key Authentication
ssl-static-key-ciphers - TLS/SSL Server Supports The Use of Static Key Ciphers
ssl-null-ciphers - TLS/SSL Server Supports Null Cipher Algorithms
Environment
Release : Any
Component : Spectrum OneClick
Resolution
To resolve these vulnerabilities, please remove the following ciphers from the SSL connector section in the $SPECROOT/tomcat/conf/server.xml and $SPECROOT/webtomcat/conf/server.xml files:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Save the file and then tomcat and webtomcat will need to be restarted for the changes to take effect.
Additional Information
If you have any additional questions related to the configuration, please contact Spectrum support.
Feedback
