Unencrypted authentication requests for /host-manager/html address on SOI Manager & UI

book

Article ID: 208332

calendar_today

Updated On:

Products

CA Service Operations Insight (SOI)

Issue/Introduction

During penetration tests against the SOI environment, the security department found Basic Authentication requests over HTTP for these URLs:

UI

http://soi-ui-server/host-manager/html
http://soi-ui-server/manager/html

Manager

http://soi-manager-server/host-manager/html
http://soi-manager-server/manager/html

The publicly available Tomcat documentation describes the services behind these URLs to allow managing Tomcat and its web services/ applications. However, reading the mentioned XML files it seems both services were kept somewhat disabled on purpose.
 
But still: when calling these URLs in the browser, the web server requests an authentication (Basic Auth) and users might enter their credentials, which is then transferred unencrypted in cleartext over the network. This is a security issue.

Can we safely disable these services?

Environment

Release : 4.x

Component : Service Operations Insight (SOI) Manager & User Interface Server

Resolution

SOI doesn't use folders any more, so can safely remove these folders (backup is suggested) and restart both Manager UI services.

Note: Defect has raised with Engineering to remove these folders in future releases