App Service web app does not have 'Minimum TLS Version' set to '1.2' Affecting App Service (Web Apps) service in Azure
Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Data/ Encryption Protocols
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-AzureCIS-ControlsCSA-CCMISO-27001NIST-800-53PCI-DSSSOC-2
- Snyk IDSNYK-CC-00489
- creditSnyk Research Team
Description
Older cipher suites could be vulnerable to hijacking and information disclosure.
How to fix?
Set siteConfig.minTlsVersion attribute to 1.2.
Set site_config.minimum_tls_version (azurerm_linux_web_app, azurerm_windows_web_app) or site_config.min_tls_version (azurerm_app_service) to 1.2.
Example configuration:
# azurerm_linux_web_app example
resource "azurerm_linux_web_app" "linallowed" {
name = "example-app-service-linallow"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
service_plan_id = azurerm_service_plan.exampleasp.id
site_config {
minimum_tls_version = "1.2"
}
}
# azurerm_windows_web_app example
resource "azurerm_windows_web_app" "winallowed" {
name = "example-app-service-allow"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
service_plan_id = azurerm_service_plan.exampleasp1.id
site_config {
minimum_tls_version = "1.2"
}
}
# azurerm_app_service example
resource "azurerm_app_service" "example1" {
name = "example-app-service1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
site_config {
min_tls_version = "1.2"
}
}