rules/findings/azure/databases/redis/azure-cache-redis-enterprise-minimum-tls-version.json
|
{
"args": [], "provider": "Azure", "serviceType": "Cache for Redis Enterprise", "serviceName": "Databases", "displayName": "Ensure that 'Minimum TLS version' is set to TLS v1.2", "description": "Setting the `Minimum TLS version` helps reduce (but not eliminate) TLS protocol vulnerabilities by preventing the use of significantly outdated versions of TLS.", "rationale": "The Secure Sockets Layer (SSL) protocol encrypts network traffic transiting between server and client.<br/><br/>Using only the most recent versions of SSL protocols (TLS version 1.2 and higher) eliminates susceptibility to known exploited vulnerabilities of outdated versions of TLS. If TLS 1.2 does not provide additional granular configuration options for supported cipher suites, there's a chance that default ciphers which employ Cipher Block Chaining (CBC) mode may be enabled which would introduce Padding Oracle types of vulnerabilities.<br/><br/>TLS 1.3 does not support CBC mode ciphers by default and by default supports GCM ciphers which include an extra authentication step during the clear text to cipher text encryption process.<br/><br/>TLS version 1.3 is preferable where it is possible to implement.<br/><br/>Versions 1.0 and 1.1 of TLS are no longer considered secure. These versions should not be used or permitted where data integrity and confidentiality are required.", "impact": "This configuration setting should not result in any perceptible changes to cost or performance.", "remediation": { "text": " ##### Remediate From Azure Portal 1. Search for and open the Azure Cache for Redis service 2. For each instance listed, repeat the remaining steps 3. Click on the name of the instance 4. In the blade menu on the left, under Settings, click on Advanced Settings 5. Click the drop-down menu under Minimum TLS version 6. Select 1.2 (Recommended) (higher versions are preferred when available) ", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://www.rfc-editor.org/rfc/pdfrfc/rfc8446.txt.pdf", "https://nvd.nist.gov/vuln/detail/CVE-2016-0701" ], "compliance": [ { "name": "CIS Microsoft Azure Database Services", "version": "2.0.0", "reference": "2.3", "profile": [ "Level 1" ] } ], "level": "medium", "tags": [], "rule": { "path": "az_redis_enterprise", "subPath": null, "selectCondition": {}, "query": [ { "filter": [ { "conditions": [ [ "networking.minimumTlsVersion", "match", "1.2|1.3" ] ] } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "properties.minimumTlsVersion": "Minimum TLS Version" }, "expandObject": null }, "table": "default", "decorate": [], "emphasis": [], "actions": { "objectData": { "properties": [ "id", "name", "location", "networking" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { "name": "Name", "location": "location", "resourceGroupName": "Resource Group Name", "properties.minimumTlsVersion": "Minimum TLS Version" }, "expandObject": null }, "status": { "keyName": ["name"], "message": "Ensure that 'Minimum TLS version' is set to TLS v1.2 or Higher for {name}", "defaultMessage": null }, "properties": { "resourceName": "name", "resourceId": "id", "resourceType": "type" }, "onlyStatus": false } }, "idSuffix": "cache_redis_enterprise_minimum_tls_version", "notes": [], "categories": [], "immutable_properties": [ "name", "id" ], "id": "azure_redis_enterprise_001" } |