Fix for HTTP vulnerabilities

book

Article ID: 209221

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration

Issue/Introduction

I opened a case that listed these some of the same vulnerabilities.    Here's the text of that case:

 

We are in the process of implementing CAPM and at the request of HCL professional services, they suggested we open a ticket to see if there are ways to mitigate 4 vulnerabilities that have been found in our security scans. We have the following vulnerabilities that "could" potentially be fixed by changing the jetty configuration but we need Broadcom's guidance.

Missing or insecure "Content-Security-Policy" header

Missing or insecure "X-Content-Type-Options" header

Missing or insecure "X-XSS-Protection" header

Missing or insecure HTTP Strict-Transport-Security Header

I can send full scan of the CAPC so developers can reference what's been found. We are looking for ways to mitigate these.

 

 I have since upgraded in October 2020 to Dx NetOps/CAPM 20.2.3 and the Content-Security-=Policy and the HTTP-Strict-Transport-Security header still exist.  Is there a way to fix that with configuration?

 

I am looking at how to remediate the following vulnerabilities:

Body Parameters Accepted in Query 
Microsoft IIS Missing Host Header Information Leakage 
Missing or insecure "Content-Security-Policy" header 
Missing or insecure HTTP Strict-Transport-Security Header 
Query Parameter in SSL Request

 
 
 

Cause

Those headers are part of CustomHeaders section we added to 3.7.19 and 20.2.7 in SsoConfig.

Environment

Release : 20.2

Component : IM Reporting / Admin / Configuration

Resolution

We don't set any of them OOTB, but customers can set them using SsoConfig.  We have an example of those headers when you go to update the Custom Headers.

Option 21 (appears we've not documented the step in docs)

SSO Configuration/DX NetOps/Performance Center/Local Override:1. Web Service Scheme:2. Web Service Host:3. Web Service Port:4. Web Service Inventory (Version 1):5. Web Service Data Source Admin:6. Web Site Scheme: https7. Web Site Host:8. Web Site Port: 81829. Web Site Path:10. SMTP Enabled:11. SMTP Server Address:12. SMTP Ports:13. SMTP SSL:14. Email Reply Address:15. Email Format:16. SMTP Username:17. SMTP Password:18. Web Service Inventory (Version 2):19. SMTP Authentication:20. Allow Performance Center in a frame: Disabled21. Custom HTTP headers to be added to our responses:

Help message:

Property: Custom HTTP headers to be added to our responses (Remote Value)Value:Example: X-XSS-Protection:1; mode=block|X-Content-Type-Options:nosniff|Strict-Transport-Security:max-age=31536000; includeSubDomainsDescription: This contains a map for additional HTTP headers that are added to our responses.  Keys and values are separated by a colon(:) and pairs are separated by a vertical bar(|).Enter r to reset the value, u to update to new value >

20.2.3 has the Custom Headers ability. 

Additional Information

There is no OOTB settings for these headers, so there are no defaults to look at. You can use the example to create the headers