VMware Smart Assurance NCM : Vulnerability "HSTS Missing From HTTPS Server" reported on NCM application server port 8880.
Article ID: 345106
Updated On:
Products
VMware
Issue/Introduction
Configuration changes suggested in this article is to mitigate "HSTS Missing From HTTPS Server (RFC 6797)" vulnerability in NCM application server (over port 8880 & 443) and device server (port 443).
Symptoms:
Vulnerability https://www.tenable.com/plugins/nessus/142960 "HSTS Missing From HTTPS Server" is found in NCM application server for port 443 & 8880; NCM device server over port 443.
Symptoms:
Vulnerability https://www.tenable.com/plugins/nessus/142960 "HSTS Missing From HTTPS Server" is found in NCM application server for port 443 & 8880; NCM device server over port 443.
Environment
VMware Smart Assurance - NCM
Resolution
Steps recommended to address "HSTS missing from HTTPS" over port 8880 in application server installation:
A) Modify default the $VOYENCE_HOME/ncmcore/conf/web.xml NCM 10.1.x installation with below parameters:
From-
<!--
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
-->
Change web.xml to-
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsPreload</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>xssProtectionEnabled</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
B) Execute command "service ncm-as restart" in application server.
Steps recommended to address "HSTS missing from HTTPS" over port 443 in application server installation (this fix specifically is included from NCM 10.x onward):
A) Open $VOYENCE_HOME/conf/httpd.conf (keep a backup of this file in non-NCM installation path prior to making any changes) file in application server.
B) Add below line at end of the file:
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
C) Execute command "service ncm-as restart" in application server.
Steps recommended to address "HSTS missing from HTTPS" over port 443 in device server installation:
A) Add below three lines at end of $VOYENCE_HOME/conf/httpd.conf file in device server-
Header always append X-Frame-Options SAMEORIGIN
Header always set X-XSS-Protection "1; mode=block"
Header always set Strict-Transport-Security "max-age=31536000" env=HTTPS
B) Execute "service vcmaster restart" in device server.
A) Modify default the $VOYENCE_HOME/ncmcore/conf/web.xml NCM 10.1.x installation with below parameters:
From-
<!--
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
-->
Change web.xml to-
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsPreload</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>xssProtectionEnabled</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
B) Execute command "service ncm-as restart" in application server.
Steps recommended to address "HSTS missing from HTTPS" over port 443 in application server installation (this fix specifically is included from NCM 10.x onward):
A) Open $VOYENCE_HOME/conf/httpd.conf (keep a backup of this file in non-NCM installation path prior to making any changes) file in application server.
B) Add below line at end of the file:
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
C) Execute command "service ncm-as restart" in application server.
Steps recommended to address "HSTS missing from HTTPS" over port 443 in device server installation:
A) Add below three lines at end of $VOYENCE_HOME/conf/httpd.conf file in device server-
Header always append X-Frame-Options SAMEORIGIN
Header always set X-XSS-Protection "1; mode=block"
Header always set Strict-Transport-Security "max-age=31536000" env=HTTPS
B) Execute "service vcmaster restart" in device server.
Feedback
Yes
No
Powered by
