Vulnerabilities found on DX NetOps Spectrum 21.2

book

Article ID: 224555

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

Vulnerability scan on DX NetOps Spectrum 21.2 found multiple vulnerabilities such as the following:

Plugin

Plugin Name

Severity

Component

Port

CVE

12085

Apache Tomcat Default Files

Medium

OneClick

9443

 

142960

HSTS Missing From HTTPS Server (RFC 6797)

Medium

OneClick

9443

 

151969

MySQL 5.7.x < 5.7.35 Multiple Vulnerabilities (Jul 2021 CPU)

High

OneClick

0

CVE-2019-17543, CVE-2021-2342, CVE-2021-2356, CVE-2021-2372, CVE-2021-2385, CVE-2021-2389, CVE-2021-2390, CVE-2021-22901

152182

Apache Tomcat 9.0.0.M1 < 9.0.48 vulnerability

Medium

OneClick

9443

CVE-2021-33037

151969

MySQL 5.7.x < 5.7.35 Multiple Vulnerabilities (Jul 2021 CPU)

High

MLS SpectroSERVER (SS)

0

CVE-2019-17543, CVE-2021-2342, CVE-2021-2356, CVE-2021-2372, CVE-2021-2385, CVE-2021-2389, CVE-2021-2390, CVE-2021-22901

151969

MySQL 5.7.x < 5.7.35 Multiple Vulnerabilities (Jul 2021 CPU)

High

MLS-Fault-Tolerant SS

0

CVE-2019-17543, CVE-2021-2342, CVE-2021-2356, CVE-2021-2372, CVE-2021-2385, CVE-2021-2389, CVE-2021-2390, CVE-2021-22901

104743

TLS Version 1.0 Protocol Detection

Medium

Jasper Server CABI

443

 

How have these been addressed?

Environment

DX NetOps 21.2 Spectrum

Resolution

  1. Apache Tomcat Default Files on port 9443(for webtomcat) : 

     Solution : Add the following in the webtomcat/conf/server.xml file, under Engine tag after AccessLogValue.

 <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="true" showServerInfo="false"></Valve>

 

  2. HSTS Missing From HTTPS Server (RFC 6797) on port 9443(for webtomcat):

   Solution : It should ideally be fixed as we have already added HttpHeaderSecurity filter in $Webtomcat/conf/web.xml file. Please cross check this file and see if this section is available in this web.xml file:

   <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </filter>

    

     At some down side in the same web.xml file this section should also be available/uncommented :

     <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

   

 

  3. MySQL 5.7.x < 5.7.35 Multiple Vulnerabilities (Jul 2021 CPU)

   Solution : My SQL has been upgraded to 5.7.35 in Spectrum 21.2.2.0

 

  4. Apache Tomcat 9.0.0.M1 < 9.0.48 vulnerability:

  Solution : Tomcat has been upgraded to 9.0.50 in Spectrum 21.2.2.0.

 

  5. MySQL 5.7.x < 5.7.35 Multiple Vulnerabilities (Jul 2021 CPU)

   Solution : My SQL has been upgraded to 5.7.35 in Spectrum 21.2.2.0

 

  6. MySQL 5.7.x < 5.7.35 Multiple Vulnerabilities (Jul 2021 CPU)

   Solution : My SQL has been upgraded to 5.7.35 in Spectrum 21.2.2.0

 

  7. TLS Version 1.0 Protocol Detection

   Solution : 

Edit the file $SPECROOT\tomcat\webapps\spectrum\META-INF\context.xml in the customer environment

 Replace

vbroker.security.client.socket.enabledProtocols=TLSv1.2,TLSv1 vbroker.security.server.socket.enabledProtocols=TLSv1.2,TLSv1

with

vbroker.security.client.socket.enabledProtocols=TLSv1.2 vbroker.security.server.socket.enabledProtocols=TLSv1.2

 and rescan check if this solves the TLSv1.0 issue?

They can also try the below change as well when Mod-Security is enabled:

Edit httpd-ssl.conf file and search for “SSLProtocol all” and please edit this line to disable TLSv1 and TLSv1.1 protocols.

          For Example :

               SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1       // "-" sign indicates all except these protocols.

SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1

Also ask them to disable weak ciphers by editing the SSLCipherSuite and SSLProxyCipherSuite lines like this:

SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!DES:!IDEA:!SSLv3:!kRSA

SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!DES:!IDEA:!SSLv3:!kRSA

Sustaining has tested this on WebTomcat and they can see that the response has the Strict Transport Security Header added as expected as per the following when opening the Webapp on WebTomcat server:

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=i6rjR0b4bmblLH4kC4qoeg==

So this requirement of HSTS is now being met.