[PIM] "HSTS Missing From HTTPS Server" on TCP 8443

book

Article ID: 223085

calendar_today

Updated On:

Products

CA Virtual Privilege Manager

Issue/Introduction

VA scan detected "HSTS Missing From HTTPS Server" vulnerability on TCP 8443 on CA PIM 14.0 on Windows Server 2016.

Environment

Release : 14.0

Component : ENTM

Resolution

HSTS is not returned by default.

Test URL: https://entm:8443/ca-nim-sm/api/

HTTP/1.1 401 Unauthorized
Content-Type: application/xml
Content-Length: 317
Date: Thu, 02 Sep 2021 03:06:12 GMT
Server: PIMProxy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Error xmlns="http://ns.ca.com/2013/06/sm-normalization">
    <ErrorCode>139</ErrorCode>
    <ErrorMessage>Request unauthorized</ErrorMessage>
    <HTTPResponseCode>UNAUTHORIZED</HTTPResponseCode>
    <HTTPResponseCodeValue>401</HTTPResponseCodeValue>
</Error>

 

As seen above, there is no "Strict-Transport-Security" header in the response.

 

Please follow the steps below modifying the "C:\Program Files\CA\AccessControlServer\apache-tomcat-7.0.72\conf\web.xml".

1. Uncomment the httpHeaderSecurity filter definition section, and then add the hstsMaxAgeSeconds parameter, as shown below.

From <!--
    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
    </filter>
-->
To <filter>
 <filter-name>httpHeaderSecurity</filter-name>
 <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
 <init-param>
  <param-name>hstsEnabled</param-name>
  <param-value>true</param-value>
 </init-param> 
 <init-param>
  <param-name>maxAgeSeconds</param-name>
  <param-value>31536000</param-value>
 </init-param>
 <init-param>
  <param-name>includeSubDomains</param-name>
  <param-value>true</param-value>
 </init-param>
 <async-supported>true</async-supported>
</filter>

2. Uncomment the httpHeaderSecurity <filter-mapping> section.

From <!--
    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
-->
To <filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<url-pattern>*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>

3. Restart tomcat

This time the "Strict-Transport-Security" header appears in the response.

 

https://entm:8443/ca-nim-sm/api/

HTTP/1.1 401 Unauthorized
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: application/xml
Content-Length: 317
Date: Thu, 02 Sep 2021 03:17:14 GMT
Server: PIMProxy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Error xmlns="http://ns.ca.com/2013/06/sm-normalization">
    <ErrorCode>139</ErrorCode>
    <ErrorMessage>Request unauthorized</ErrorMessage>
    <HTTPResponseCode>UNAUTHORIZED</HTTPResponseCode>
    <HTTPResponseCodeValue>401</HTTPResponseCodeValue>
</Error>