We are having our external IP addresses scanned and we have gotten dinged for a PCI vulnerability. The vulnerabity is BEAST (Browser Exploit Against SSL/TLS) Vulnerability and I know how to remediate it on IIS/Windows but I do not know how to do fix it for Apache. I have found the article for
Mitigation of CVE-2011-3389 (BEAST) for web server administrators but that appears to direct me to only use RC4 ciphers which I understand to not be recommended for secure environments. Also the locked.properies file they mention editing does not exist on my 5.1 security server.
Has anyone secured a View Security Server to mitigate the BEAST vulnerability?
Here is the full vulnerabilty information from our scan:
BEAST (Browser Exploit Against SSL/TLS) Vulnerability
The SSL protocol encrypts data by using CBC mode with chained initialization vectors. This allows an attacker, which is has gotten access to an HTTPS session via man-in-the-middle (MITM) attacks or other means, to obtain plain text HTTP headers via a blockwise chosen-boundary attack (BCBA) in conjunction with Javascript code that uses the HTML5 WebSocket API, the Java URLConnection API, or the Silverlight WebClient API. This vulnerability is more commonly referred to as Browser Exploit Against SSL/TLS or "BEAST".
Service: (443) -
Evidence:
• Client Provided Options: TLSv1 : ALL:eNULL:aNULL
• Server Negotiated Block Cipher: TLSv1 : DHE-RSA-AES128-SHAService: (8443) - Evidence:
• Client Provided Options: SSLv3 : ALL:eNULL:aNULL