search cancel

Spectrum Tomcat Cipher Vulnerabilities

book

Article ID: 190511

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

When running a security scan of a OneClick system, the following vulnerabilities may show up if tomcat is configured to use SSL and is using the out-of-box connector configuration:

ssl-anon-ciphers - TLS/SSL Server Supports Anonymous Cipher Suites with no Key Authentication

ssl-static-key-ciphers - TLS/SSL Server Supports The Use of Static Key Ciphers

ssl-null-ciphers - TLS/SSL Server Supports Null Cipher Algorithms

Environment

Release : 10.3.x

Component : Spectrum OneClick

Resolution

To resolve these vulnerabilities, please remove the following ciphers from the SSL connector section in the <SPECROOT>/tomcat/conf/server.xml file:

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Save the file and then tomcat will need to be restarted for the changes to take effect.

Additional Information

If you have any additional questions related to the configuration, please contact Spectrum support.