EM Jetty configured for HTTPS only, responds on HTTP and doesn't follow HTTP Strict Transport Security

book

Article ID: 198107

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE DX Application Performance Management

Issue/Introduction

The EM Jetty is locked down to HTTPS only, but responds to HTTP request and returns "P". Our Security Team is flagging this as a "Strict-Transport-Security HTTP Header missing on port".

If the EM Jetty responds to HTTP request when disabled, we need this updated to follow HTTP Strict Transport Security or disable HTTP response.

Environment

Release : 10.7.0

Component : APM Agents

Resolution

This is resolved in HF61

DE434288 - 20068181-Security vulnerabilities in Jetty (EM/WV,APMSQLServer, jetty
9.4.11-2 upgraded to 9.4.27)