SSL port 8443 vulnerability found on VNA server without SSL configured

book

Article ID: 195207

calendar_today

Updated On:

Products

CA Virtual Network Assurance CA Performance Management - Usage and Administration DX NetOps CA Spectrum

Issue/Introduction

Getting qualys vulnerability error 11827 on VNA port 8443 - CWE-693

Running a qualys security scan exposed a vulnerability on VNA port 8443.

Need to add custom response headers to this port if it is needed by VNA.

VNA server has SSL security vulnerabilities found by security scans but isn't configured for SSL.

Cause

VNA does not use port 8443, but it is exposed by default by the web browser.

Environment

Performance Management releases r3.7.14 and earlier

DX NetOps release r20.2.1

Resolution

The solution for this will be included in the PM r3.7.15 and NetOps r20.2.2 releases via defect DE462717. The solution will be removal of port 8443 from VNA.

To resolve the issue prior to that please complete the following steps to disable HTTPS on VNA.

  1. On the VNA host server open the (default path) /opt/CA/VNA/wildfly/standalone/configuration/standalone.xml
  2. Edit the file by commenting out the following line:
    • <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true" enabled-protocols="TLSv1.2"/>
  3. After editing the file restart the VNA wildfly service to make the change active

Additional Information

https://cwe.mitre.org/data/definitions/693.html