The WebSphere Liberty Server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-250347 | IBMW-LS-001110 | SV-250347r961632_rule | CCI-002418 | medium |
| Description | ||||
| Export grade encryption suites are not strong and do not meet DoD requirements. The encryption for the session becomes easy for the attacker to break. Do not use export grade encryption. | ||||
| STIG | Date | |||
| IBM WebSphere Liberty Server Security Technical Implementation Guide | 2025-02-11 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
SC-8
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.13.8
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-002418
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-250347r961632_chk)
Review the ${server.config.dir}/server.xml file and check the "enabledCiphers" setting. If any of the ciphers specified in the enabledCiphers setting contains the word "EXPORT", this is a finding.
<ssl id="myDefaultSSLConfig"
keyStoreRef="defaultKeyStore"
trustStoreRef="defaultTrustStore"
clientAuthentication="true"
sslProtocol="TLS"
enabledCiphers="SSL_xxx_yyy_zzz"/>
Fix Text (F-53736r795093_fix)
Review the ${server.config.dir}/server.xml file and if needed, modify the "enabledCiphers" setting for each affected SSL configuration.
<ssl id="myDefaultSSLConfig"
keyStoreRef="defaultKeyStore"
trustStoreRef="defaultTrustStore"
clientAuthentication="true"
sslProtocol="TLS"
enabledCiphers="SSL_xxx_yyy_zzz"/>
where xxx, yyy, and zzz do not contain "EXPORT".