Our security Team found a critical Appworx TLS 1.0 vulnerability which requires older SSL/TLS version be disabled with the messages below. Is there a way to disable TLS 1.0 and enable TLS 2.0?
There is no server-side mitigation available against the BEAST attack. The only option is to disable the affected protocols (SSLv3 and TLS 1.0). The only fully safe configuration is to use Authenticated Encryption with Associated Data (AEAD), e.g. AES-GCM, AES-CCM in TLS 1.2.
Negotiated with the following insecure cipher suites:
· TLS 1.0 ciphers:
o TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
o TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
o TLS_DH_anon_WITH_AES_128_CBC_SHA
o TLS_DH_anon_WITH_DES_CBC_SHA
o TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
o TLS_ECDH_anon_WITH_AES_128_CBC_SHA
Release : 9.3.x, 9.4.x
Component : CA Automic Applications Manager
This issue is resolved by disabling TLS 1.0, enabling TLS 1.1 / 1.2 and using SSL as documented in the documentation link below.
KB article below helps with steps for enabling TLS 1.2
https://knowledge.broadcom.com/external/article?articleId=210011
With Version 9.40 Apache Tomcat is now the default HTTP server. See documentation link below for details