Supporting TLS 1.2 for Lucky13 Vulnerability Fix for api management

Alejandro Castaño Jimenez 26 Reputation points

We are using the api management service by default it uses tls 1.2.
We need to know how to mitigate the Lucky-13 Vulnerability vulnerability [CVE-2013-0169].

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,952 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. MuthuKumaranMurugaachari-MSFT 22,271 Reputation points

    @Alejandro Castaño Jimenez Thank you for reaching out to Microsoft Q&A. For CVE-2013-0169 vulnerability, I think fix is to disable CBC ciphers and you can disable some CBC ciphers following docs: Manage protocols and ciphers in Azure API Management.

    As mentioned in our public documentation, there are certain ciphers that are considered weak according to modern day industry standards, however, they cannot be disabled in API Management. Your API Management service runs on a computing platform that has several internal components that ensure the security, compliance, and availability of your service. Some of these components have a dependency on these ciphers and that is why these ciphers cannot be disabled in API Management Service currently.

    All Azure services, including API Management, are required to comply with several security controls. There are internal processes and tools in place that ensure our services follow these controls and these mitigate the risks associated with having these weak ciphers enabled. You can learn more about Azure Security and Compliance standards here.

    We will continue to perform internal reviews of API Management dependencies periodically and identify/implement any opportunities to further enhance the security and reliability of your API Management Service.