NetOps Data Collector HTTP Security Header Not Detected Vulnerability
search cancel

NetOps Data Collector HTTP Security Header Not Detected Vulnerability


Article ID: 204779


Updated On:


CA Performance Management - Usage and Administration DX NetOps


An internal security scan reveals the following security vulnerability which needs to be remediated ASAP.

A Qualsys system scan on DX NetOps Performance Management Data Collector hosts running release 21.2.12 returned the following Vulnerability.

How can this be remediated?

DNS Tracking Method OS QID Title Vendor Reference CVSS Base CVSS Temporal CVSS Environment Solution Results Server Name Application Inventory.Contact CVSS Merge CVSS Qualitative Final Merge Lookup
DC_hostname QAGENT Red Hat Enterprise Linux Server 7.9 45242 Remote Management Service Accepting Unencrypted Credentials Detected(HTTP)   4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 3.3 (E:U/RL:W/RC:UR) Asset Group: FH_E42_INSCOPE_PCI, Collateral Damage Potential:  Not Defined, Target Distribution: Not Defined, Confidentiality Requirement: Not Defined, Integrity Requirement: Not Defined, Availability Requirement: Not Defined If possible, use alternate services that provide encryption.

Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission.
Service Name: HTTP on TCP port 8681.
HTTP Service Accepting Basic Auth Credentials Detected#
DC_hostname CAPM (Network Performance Tool)   6.4 Medium DC_hostname DC_hostname


All supported DX NetOps Performance Management releases


The Data Collector (DC) only provides a /debug http endpoint. One that regular users should not be accessing.

The /debug provides a link to the Apache Karaf web console which we do not have access to in order to add headers.

The /debug/dispatcher is CAPM debug module.

The only time we need to go into them is really to check if a bundle is running or restart it, which can also be done via web pages.

This would only be done at the request of support.


There are two options to address this concern.

  1. Internal network controls to prevent access by unwanted or unauthorized users.
    • Ports 8501, 8681 and 8601 should be firewalled to only allow local access.
    • They should not be blocked from all use, only from external use.
    • If they are blocked in entirety it will break the gathering of Data Aggregator and Data Collector Self Monitoring metric data.
  2. Upgrade to 22.2.2 or newer releases.
    • Starting with 22.2.2 we have introduced HTTPS configuration support for Data Collectors.
    • Upgrade and configure the DC for HTTPS.