HTTP OPTIONS Method Enabled APM Vulnerability

book

Article ID: 141818

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE DX Application Performance Management

Issue/Introduction

APM Wily servers have been flagged by vulnerability scans for the following issues:

1-

 - Titles aggregated to: Self-signed TLS/SSL certificate

2-

 - HTTP OPTIONS Method Enabled

 

Environment

Release : 10.7.0

Component : APM Mangers

Resolution

Report #1 : Titles aggregated to: Self-signed TLS/SSL certificate

SSL needs to be configure by customer environment administrator with their own certificates. Please follow below documentation for SSL configuration,
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/application-performance-management/10-7/administrating/configure-enterprise-manager/configure-enterprise-manager-communications/jetty-configuration-options-for-version-10-7.html

Report #2 : HTTP OPTIONS Method Enabled

We can disable HTTP OPTIONS method with configuration in em-jetty-config.xml and webview-jetty-config.xml file under config folder of EM installation. Please see attached files for reference.
zip file: sample-jetty-files.zip

Attachments

1576248236046__sample-jetty-files.zip get_app