An Apache web server must maintain the confidentiality of controlled information during transmission through the use of an approved TLS version.
DISA Rule
SV-102677r1_rule
Vulnerability Number
V-92589
Group Title
SRG-APP-000014-WSR-000006
Rule Version
AS24-W2-000890
Severity
CAT I
CCI(s)
- CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.
- CCI-000197 - The information system, for password-based authentication, transmits only cryptographically-protected passwords.
- CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
- CCI-000803 - The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
- CCI-001166 - The information system identifies organization-defined unacceptable mobile code.
- CCI-001453 - The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.
- CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.
- CCI-002420 - The information system maintains the confidentiality and/or integrity of information during preparation for transmission.
- CCI-002422 - The information system maintains the confidentiality and/or integrity of information during reception.
- CCI-002476 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components.
Weight
10
Fix Recommendation
Ensure the "SSLProtocol" is added and looks like the following in the <'INSTALLED PATH'>\conf\httpd.conf file:
SSLProtocol -ALL +TLSv1.2
Ensure the "SSLEngine" parameter is set to "ON" inside the "VirtualHost" directive.
Check Contents
In a command line, navigate to "<'INSTALLED PATH'>\bin". Run "httpd -M" to view a list of installed modules.
If the module "mod_ssl" is not enabled, this is a finding.
Review the <'INSTALLED PATH'>\conf\httpd.conf file to determine if the "SSLProtocol" directive exists and looks like the following:
SSLProtocol -ALL +TLSv1.2
If the directive does not exist and does not contain "-ALL +TLSv1.2", this is a finding.
Vulnerability Number
V-92589
Documentable
False
Rule Version
AS24-W2-000890
Severity Override Guidance
In a command line, navigate to "<'INSTALLED PATH'>\bin". Run "httpd -M" to view a list of installed modules.
If the module "mod_ssl" is not enabled, this is a finding.
Review the <'INSTALLED PATH'>\conf\httpd.conf file to determine if the "SSLProtocol" directive exists and looks like the following:
SSLProtocol -ALL +TLSv1.2
If the directive does not exist and does not contain "-ALL +TLSv1.2", this is a finding.
Check Content Reference
M
Target Key
3419
Comments
STIGQter: STIG Summary: Apache Server 2.4 Windows Site Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jul 2020: