Apache Tomcat Vulnerabilities identified on DevTest 10.x servers

Document ID : KB000095369
Last Modified Date : 10/05/2018
Show Technical Document Details
Introduction:
We currently have DevTest 10.1  on Windows 2012 Servers. The DevTest Servers have been scanned and identified as having  two security vulnerabilities.

The vulnerabilities are the following:
#1: QID: 38142
     SSL Server Allows Anonymous Authentication Vulnerability (High)
     Upgrade to modern, supported version of Apache Tomcat and/or update configuration to disable support for      anonymous authentication.

#2: QID: 38628
SSL Server Allows Cleartext Communication Vulnerability (High)
                                Disable ciphers which support clear text communication
                                 Apache Tomcat: 
                                                              
Background:

 
Environment:
DevTest 10.x and up
Instructions:
To disable Apache Tomcat Vulnerabilities, remove the Demoserver folder (if installed) , the examples folder and example_src folder after the installation. This should take care of the vulnerability. 
Additional Information:
Tomcat versions with respect to DevTest 10.x: 

DevTest 10.1 : Tomcat 7.0.63 
DevTest 10.2 : Tomcat 8.0.45 
DevTest 10.3 : Tomcat 9.0.1