Hi all, hoping you are able to confirm the below issue -
The Security Governance team have been over the servers and provided their findings.
- ssl-cve-2011-3389-beast TLS/SSL Server is enabling the BEAST attack
- sslv3-cve-2014-3566-poodle TLS/SSL Server is enabling the POODLE attack
- tlsv1_0-enabled TLS Server Supports TLS version 1.0
- tlsv1_1-enabled TLS Server Supports TLS version 1.1
- sslv3-supported TLS/SSL Server Supports SSLv3
- rc4-cve-2013-2566 TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)
- ssl-3des-ciphers TLS/SSL Server Supports 3DES Cipher Suite
- ssl-static-key-ciphers TLS/SSL Server Supports The Use of Static Key Ciphers
So they have requested -
Enable TLS1.2
Disable TLS1.0, TLS1.1, SSLv2, SSLv3 and Ciphers.
Know there is the following links to help to resolve:
https://support.solarwinds.com/Success_Center/Virtualization_Manager_(VMAN)/Disable_SSLv3_on_VMAN
Obviously from the Tomcat section of the POODLE vulnerability I would only add sslEnabledProtocols="TLSv1.2" which would do some of what is required, but what about the Lighttpd as they don't want TLSv1, or SSLv2
Will these 2 mitigation links cover off everything on the risk list, or even better - are these risks entirely removed from the latest release of VMan and now no longer required to be done.
Cheers