Doing a scan on our site which is running Tomcat 126.96.36.199, gave us the vulnerability:
OpenSSL ASN.1 Parsing Vulnerabilities
|QID: 38224||CVE Base: 8||Port: 443|
|CVSS Temporal: 7.3||Category: General remote services|
|CVE ID: CVE-2003-0543, CVE-2003-0544, CVE-2003-0545, CVE-2005-173|
Solution: The OpenSSL Project released OpenSSL versions 0.9.6k and 0.9.7c to address these issues.
We do have a version of OpenSSL running but it's OpenSSL 1.0.0j-fips
Tomcat is listening on port 443 (the SSL port) BUT it's not even using the OpenSSL libraries, it's using the standard JSSE libraries. The only way for tomcat to be using OpenSSL in the first place is if we're using the Apache Portable Runtime (APR) which we're not. And even if we were, it'll be using the 1.0.0j-fips version of OpenSSL and wouldn't have generated the above vulnerability in the first place.
Can Qualys tell me how they're exactly testing for this vulnerability as I think the test is giving us a false positive.