When performing a Vulnerability Assessment and Penetration Test (VAPT), the report generated may come back with multiple findings depending on the version of Cloud Director Availability and default configurations that can be customized.

These include, but are not limited to:

• Weak Ciphers
• Self-Signed Certificate Detected
• Strict-Transport Security Not Enforced
• Content Security Policy (CSP) Not Implemented
• X-Content-Type-Options Header Not Set
• Missing Referrer Policy Security Header
• Permissions Policy Header Not Found
• Host Header Poisoning
• Visible Detailed Error/Debug Page and Unhandled Exception Error
• Server Side Request Forgery (External)

The purpose of this article is to discuss each of these findings, detail remediation actions for vulnerabilities, and detail how some findings are not security concerns with Cloud Director Availability.

VMware Cloud Director Availability 4.x

Weak Ciphers

Cloud Director Availability uses a cipher pattern that has been recommended by the VMware Security Team. If a security scan returns with a finding about the use of weak ciphers and you require a more strict cipher pattern implemented, see the Services Security Configuration Properties section of the Cloud Director Availability Security Guide.

Self-Signed Certificate Detected

By default the Cloud Director Availability services are deployed using self-signed certificates. A minimum requirement for trusted administration communication is to install a trusted CA-signed certificate only for the Cloud Service, while the other services can continue to use self-signed certificates. If a security scan returns with a finding about the use of a self-signed certificate for the Cloud Service, replace the self-signed certificate with a CA-signed certificate to resolve this. For more information, see the Certificates Management section of the Cloud Director Availability Administration Guide.

Strict-Transport Security Not Enforced

The Cloud Director Availability server does not use the https-only header. This is not a security concern though as the server does not serve plain HTTP, if you attempt to use plain HTTP you will always get a "This combination of host and port requires TLS." response.

Content Security Policy (CSP) Not Implemented

CSP has been implemented into the Cloud Director Availability Web App as of Cloud Director Availability 4.1. To resolve this, it is recommended to upgrade your Cloud Director Availability deployment.

X-Content-Type-Options Header Not Set

The security impact of where this header is implemented or not for the Cloud Director Availability Web App is negligible. Cloud Director Availability only serves static HTML/CSS/JS, REST (JSON), usage reports, and support bundles; all of which specify the correct response type. Cloud Director Availability cannot be made to serve anything else where X-Content-Type-Options could have an effect.

The recommended "X-Content-Type-Options: nosniff" header has been added as of Cloud Director Availability 4.2. To resolve this, it is recommended to upgrade your Cloud Director Availability deployment.

Missing Referrer Policy Security Header

The Cloud Director Availability Web App never navigates to anywhere except to administration pages for Cloud Director Availability components, the vSphere Client UI, and the Cloud Director UI when logged in as a Service Provider System Administrator. The Cloud Director Availability UI is a Single-Page Application and the Cloud Director Availability servers do not utilise the referer header. Setting a referrer policy is unlikely to materially affect security.

Permissions Policy Header Not Found

Cloud Director Availability does not embed any iframes and can limit the features of its own frame. Due to the nature of the Cloud Director Availability Web App (static HTML/CSS/JS and Angular) there is no impact here.

Host Header Poisoning

The value of the host header is not fully trusted in Cloud Director Availability. Cloud Director Availability always validates and escapes the value of the host header and therefore is not vulnerable to host header injection attacks.

Visible Detailed Error/Debug Page and Unhandled Exception Error

This finding occurs when querying the Lookup Service SDK when using Service Provider System Administrator credentials. Under these conditions the stack trace is visible, non-administrator users will not see this.

Server Side Request Forgery (External)

This finding occurs for the Lookup Service Address, in this case is it not considered a problem in Cloud Director Availability as this settings is only visible to the Service Provider System Administrator.

In all cases, the System Administrator has full control over the deployment and its configuration so their judgement is trusted to evaluate all their actions such as validating the certificate of the Lookup Service before accepting it.