QID 11827 Vulnerability on 1505 after implementing SSL in 10.4

book

Article ID: 141141

calendar_today

Updated On:

Products

CLOUDTEST CA Application Test CA Cloud Test Mobile MOBILECLOUD Service Virtualization

Issue/Introduction

We see that once we implemented the SSL protocol in two DevTest environments, both those environments now are coming up with the 1505 QID 11827 vulnerability in version 10.4 

Environment

Release : 10.4

Component : CA Service Virtualization

Resolution

Strict-Transport Security" header is applicable for HTTPs requests only. The "HTTP Security Header Not detected for port 1505" vulnerability reported for "Strict-Transport-Security

We have a Fix for this: 

 "patch_DE439275_10.4.0_GA.jar". This includes both "X-XSS-Protection HTTP Header missing on port 1505" and "Strict-Transport-Security HTTP Header missing on port 1505" fixes. 

 

Steps to apply:

1. Stop all the services.

2. Go to the /lib/patches folder. (Create the patches folder if it doesn't exist).

3. Copy and paste the attached patch 'patch_DE439275_10.4.0_GA.jar' into the patches folder.

4. Restart all the components.

5. Run a scan.


Additionally, you can verify the fix by hitting the URL "https://localhost:1505" in a browser after applying the patch and verify the response headers listed under the browser Network tab for that URL. You should now
see the below response headers:

Strict-Transport-Security: max-age=31556926; includeSubDomains

Content-Security-Policy: default-src *; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline'; connect-src * 'unsafe-inline'; frame-src *;

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1;mode=block


Note: Apply this patch on all the machines where the Devtest components are running.

 

Please open  a support ticket for this.  And reference DE439275 in the description.