Vulnerability scan on DX NetOps Spectrum 21.2 found multiple vulnerabilities such as the following:

How have these been addressed?

DX NetOps 21.2.x Spectrum

  1. Apache Tomcat Default Files on port 9443(for webtomcat) : 

     Solution : Add the following in the webtomcat/conf/server.xml file, under Engine tag after AccessLogValue.

 <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="true" showServerInfo="false"></Valve>

  2. HSTS Missing From HTTPS Server (RFC 6797) on port 9443(for webtomcat):

   Solution : It should ideally be fixed as we have already added HttpHeaderSecurity filter in $Webtomcat/conf/web.xml file. Please cross check this file and see if this section is available in this web.xml file:

   <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </filter>

     At some down side in the same web.xml file this section should also be available/uncommented :

     <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

  3. MySQL 5.7.x < 5.7.35 Multiple Vulnerabilities (Jul 2021 CPU)

   Solution : My SQL has been upgraded to 5.7.35 in Spectrum 21.2.2.0

  4. Apache Tomcat 9.0.0.M1 < 9.0.48 vulnerability:

  Solution : Tomcat has been upgraded to 9.0.50 in Spectrum 21.2.2.0.

  5. MySQL 5.7.x < 5.7.35 Multiple Vulnerabilities (Jul 2021 CPU)

   Solution : My SQL has been upgraded to 5.7.35 in Spectrum 21.2.2.0

  6. MySQL 5.7.x < 5.7.35 Multiple Vulnerabilities (Jul 2021 CPU)

   Solution : My SQL has been upgraded to 5.7.35 in Spectrum 21.2.2.0

  7. TLS Version 1.0 Protocol Detection

   Solution : 

Edit the file $SPECROOT\tomcat\webapps\spectrum\META-INF\context.xml in the customer environment

 Replace

vbroker.security.client.socket.enabledProtocols=TLSv1.2,TLSv1 vbroker.security.server.socket.enabledProtocols=TLSv1.2,TLSv1

with

vbroker.security.client.socket.enabledProtocols=TLSv1.2 vbroker.security.server.socket.enabledProtocols=TLSv1.2

 and rescan check if this solves the TLSv1.0 issue?

They can also try the below change as well when Mod-Security is enabled:

Edit httpd-ssl.conf file and search for “SSLProtocol all” and please edit this line to disable TLSv1 and TLSv1.1 protocols.

          For Example :

               SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1       // "-" sign indicates all except these protocols.

SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1

Also ask them to disable weak ciphers by editing the SSLCipherSuite and SSLProxyCipherSuite lines like this:

SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!DES:!IDEA:!SSLv3:!kRSA

SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!DES:!IDEA:!SSLv3:!kRSA