ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

UIM HTTPS Security Findings for HSTS

book

Article ID: 200249

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

We see the following vulnerability in UIM 

Plugin Plugin Name Port Plugin Text Synopsis Description Solution
84502 HSTS Missing From HTTPS Server 9443/443 Plugin Output:
  The remote HTTPS server does not send the HTTP
  ""Strict-Transport-Security"" header.
The remote web server is not enforcing HSTS. The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. Configure the remote web server to use HSTS.

Environment

Release : 20.1

Component : UIM - UMP

Resolution

In C:\Program Files (x86)\Nimsoft\probes\service\wasp\webapps\ROOT\WEB-INF where wasp was installed, the web.xml have the following section which is commented. Please uncomment this section

 

    <!-- Enable HTTS filter for HTTPS environment-->
    <!--
    <filter>
      <filter-name>HTTP Header Security Filter</filter-name>
      <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
      <init-param>
        <param-name>hstsMaxAgeSeconds</param-name>
        <param-value>31536000</param-value>
      </init-param>
      <init-param>
        <param-name>hstsIncludeSubDomains</param-name>
        <param-value>true</param-value>
      </init-param>
    </filter>
    <filter-mapping>
      <filter-name>HTTP Header Security Filter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>
    
    -->

In addition to above,  for Admin Console please add same configuration in web.xml in  \Nimsoft\probes\service\wasp\webapps\adminconsoleapp\WEB-INF preferably after this:

<!-- HttpSessionListener implementation -->
  <listener>
    <listener-class>
      com.firehunter.adminconsole.config.AdminConsoleHttpSessionListener
    </listener-class>
  </listener>

Then on UMP server, you need to add the additional configuration in C:\Program Files (x86)\Nimsoft\probes\service\wasp\webapps\ROOT\WEB-INF\liferay-web.xml

  <filter>
      <filter-name>HTTP Header Security Filter</filter-name>
      <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
      <init-param>
        <param-name>hstsMaxAgeSeconds</param-name>
        <param-value>31536000</param-value>
      </init-param>
      <init-param>
        <param-name>hstsEnabled</param-name>
        <param-value>true</param-value>
      </init-param>
      <init-param>
        <param-name>hstsIncludeSubDomains</param-name>
        <param-value>true</param-value>
      </init-param>
    </filter>
    <filter-mapping>
      <filter-name>HTTP Header Security Filter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>
    
   

 

 

Additional Information

UIM - Unable to display UMP security banner

https://knowledge.broadcom.com/external/article?articleId=204202