Vulnerability scan on DX NetOps Spectrum 21.2 found multiple vulnerabilities such as the following:
Plugin |
Plugin Name |
Severity |
Component |
Port |
CVE |
12085 |
Apache Tomcat Default Files |
Medium |
OneClick |
9443 |
|
142960 |
HSTS Missing From HTTPS Server (RFC 6797) |
Medium |
OneClick |
9443 |
|
151969 |
MySQL 5.7.x < 5.7.35 Multiple Vulnerabilities (Jul 2021 CPU) |
High |
OneClick |
0 |
CVE-2019-17543, CVE-2021-2342, CVE-2021-2356, CVE-2021-2372, CVE-2021-2385, CVE-2021-2389, CVE-2021-2390, CVE-2021-22901 |
152182 |
Apache Tomcat 9.0.0.M1 < 9.0.48 vulnerability |
Medium |
OneClick |
9443 |
CVE-2021-33037 |
151969 |
MySQL 5.7.x < 5.7.35 Multiple Vulnerabilities (Jul 2021 CPU) |
High |
MLS SpectroSERVER (SS) |
0 |
CVE-2019-17543, CVE-2021-2342, CVE-2021-2356, CVE-2021-2372, CVE-2021-2385, CVE-2021-2389, CVE-2021-2390, CVE-2021-22901 |
151969 |
MySQL 5.7.x < 5.7.35 Multiple Vulnerabilities (Jul 2021 CPU) |
High |
MLS-Fault-Tolerant SS |
0 |
CVE-2019-17543, CVE-2021-2342, CVE-2021-2356, CVE-2021-2372, CVE-2021-2385, CVE-2021-2389, CVE-2021-2390, CVE-2021-22901 |
104743 |
TLS Version 1.0 Protocol Detection |
Medium |
Jasper Server CABI |
443 |
|
How have these been addressed?
DX NetOps 21.2 Spectrum
1. Apache Tomcat Default Files on port 9443(for webtomcat) :
Solution : Add the following in the webtomcat/conf/server.xml file, under Engine tag after AccessLogValue.
<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="true" showServerInfo="false"></Valve>
2. HSTS Missing From HTTPS Server (RFC 6797) on port 9443(for webtomcat):
Solution : It should ideally be fixed as we have already added HttpHeaderSecurity filter in $Webtomcat/conf/web.xml file. Please cross check this file and see if this section is available in this web.xml file:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
At some down side in the same web.xml file this section should also be available/uncommented :
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
3. MySQL 5.7.x < 5.7.35 Multiple Vulnerabilities (Jul 2021 CPU)
Solution : My SQL has been upgraded to 5.7.35 in Spectrum 21.2.2.0
4. Apache Tomcat 9.0.0.M1 < 9.0.48 vulnerability:
Solution : Tomcat has been upgraded to 9.0.50 in Spectrum 21.2.2.0.
5. MySQL 5.7.x < 5.7.35 Multiple Vulnerabilities (Jul 2021 CPU)
Solution : My SQL has been upgraded to 5.7.35 in Spectrum 21.2.2.0
6. MySQL 5.7.x < 5.7.35 Multiple Vulnerabilities (Jul 2021 CPU)
Solution : My SQL has been upgraded to 5.7.35 in Spectrum 21.2.2.0
7. TLS Version 1.0 Protocol Detection
Solution :
Edit the file $SPECROOT\tomcat\webapps\spectrum\META-INF\context.xml in the customer environment
Replace
vbroker.security.client.socket.enabledProtocols=TLSv1.2,TLSv1 vbroker.security.server.socket.enabledProtocols=TLSv1.2,TLSv1
with
vbroker.security.client.socket.enabledProtocols=TLSv1.2 vbroker.security.server.socket.enabledProtocols=TLSv1.2
and rescan check if this solves the TLSv1.0 issue?
They can also try the below change as well when Mod-Security is enabled:
Edit httpd-ssl.conf file and search for “SSLProtocol all” and please edit this line to disable TLSv1 and TLSv1.1 protocols.
For Example :
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 // "-" sign indicates all except these protocols.
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
Also ask them to disable weak ciphers by editing the SSLCipherSuite and SSLProxyCipherSuite lines like this:
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!DES:!IDEA:!SSLv3:!kRSA
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!DES:!IDEA:!SSLv3:!kRSA
Sustaining has tested this on WebTomcat and they can see that the response has the Strict Transport Security Header added as expected as per the following when opening the Webapp on WebTomcat server:
So this requirement of HSTS is now being met.