Hi,
Recieved the below vulnerability on port 2121 for application server.
Below are the details
severity->high
hostname-> A.B.C.D
port-> 2121
protocol-> TCP
Infrastructure Detail -> ALM 15 App Server
name -> TLS Version 1.0 Protocol Detection
output -> TLSv1 is enabled and the server supports at least one cipher.
description "The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic design flaws. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS like 1.2 and 1.3 are designed against these flaws and should be used whenever possible.
As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major vendors.
PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits."
synopsis The remote service encrypts traffic using an older version of TLS.
id -> 104743
ipv4 -> AA.BBB.CC.DD
operating_system -> ['Microsoft Windows Server 2016 Standard']
solution -> Enable support for TLS 1.2 and 1.3, and disable support for TLS 1.0.
cve
cvss3_base_score -> 6.5
family -> Service detection
see_also ['https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-00']
we have already made the changes in “E:\ProgramData\Micro Focus\ALM\server\conf\jetty-ssl.xml” for excluding TLSv1 protocol by excluding TLSv1 protocol as below
Locate the “ExcludeProtocols” section and ensure that entries for SSLv3, TLSv1, and TLSv1.1 protocols are included, as illustrated below: -
<Set name=”ExcludeProtocols”>
<Array type=”java.lang.String”>
<Item>SSLv3</Item>
<Item>TLSv1</Item>
<Item>TLSv1.1</Item>
<Item>SSLv2Hello</Item>
</Array>
</Set>
Create an “IncludeProtocols” sections just below the “ExcludeProtocols” section, with the content below: -
<Set name=”IncludeProtocols”>
<Array type=”String”>
<Item>TLSv1.2</Item>
<Item>TLSv1.3</Item>
</Array>
</Set>
Why is TLS Version 1.0 Protocol Detection occuring on port 2121 even after doing the exclusion in jetty-ssl.xml?