NetOps Data Collector HTTP Security Header Not Detected Vulnerability

search cancel

NetOps Data Collector HTTP Security Header Not Detected Vulnerability

book

Article ID: 204779

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

An internal security scan reveals the following security vulnerability which needs to be remediated ASAP.

A Qualsys system scan on DX NetOps Performance Management Data Collector hosts running release 21.2.12 returned the following Vulnerability.

How can this be remediated?

DNS

Tracking Method

QID

Title

Vendor Reference

CVSS Base

CVSS Temporal

CVSS Environment

Solution

Results

Server Name

Application

Inventory.Contact

CVSS Merge

CVSS Qualitative

Final Merge

Lookup

DC_hostname

QAGENT

Red Hat Enterprise Linux Server 7.9

45242

Remote Management Service Accepting Unencrypted Credentials Detected(HTTP)

4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

3.3 (E:U/RL:W/RC:UR)

Asset Group: FH_E42_INSCOPE_PCI, Collateral Damage Potential: Not Defined, Target Distribution: Not Defined, Confidentiality Requirement: Not Defined, Integrity Requirement: Not Defined, Availability Requirement: Not Defined

If possible, use alternate services that provide encryption.

Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission.

Service Name: HTTP on TCP port 8681.
HTTP Service Accepting Basic Auth Credentials Detected#

DC_hostname

CAPM (Network Performance Tool)

6.4

Medium

DC_hostname

Environment

All supported DX NetOps Performance Management releases

Cause

The Data Collector (DC) only provides a /debug http endpoint. One that regular users should not be accessing.

The /debug provides a link to the Apache Karaf web console which we do not have access to in order to add headers.

The /debug/dispatcher is CAPM debug module.

The only time we need to go into them is really to check if a bundle is running or restart it, which can also be done via web pages.

This would only be done at the request of support.

Resolution

There are two options to address this concern.

Internal network controls to prevent access by unwanted or unauthorized users.
- Ports 8501, 8681 and 8601 should be firewalled to only allow local access.
- They should not be blocked from all use, only from external use.
- If they are blocked in entirety it will break the gathering of Data Aggregator and Data Collector Self Monitoring metric data.
Upgrade to 22.2.2 or newer releases.
- Starting with 22.2.2 we have introduced HTTPS configuration support for Data Collectors.
- Upgrade and configure the DC for HTTPS.

Feedback

thumb_up Yes

thumb_down No