Vulnerability "HSTS Missing From HTTPS Server (RFC 6797)" reported on Application and Device servers
search cancel

Vulnerability "HSTS Missing From HTTPS Server (RFC 6797)" reported on Application and Device servers

book

Article ID: 345106

calendar_today

Updated On:

Products

VMware Smart Assurance Network Observability

Issue/Introduction

Configuration changes suggested in this article is to mitigate "HSTS Missing From HTTPS Server (RFC 6797)" vulnerability in NCM application server (over port 8880 & 443) and device server (port 443). 

Symptoms:

Vulnerability External Link: Tenable "HSTS Missing From HTTPS Server (RFC 6797)" is found in NCM application server for port 443 & 8880; NCM device server over port 443. 

Environment

All Supported NCM versions

Resolution

Steps recommended to address "HSTS missing from HTTPS" over port 8880 in application server installation:
  • Modify default the $VOYENCE_HOME/ncmcore/conf/web.xml NCM installation with below parameters:

    From-
<!--
  <filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
  </filter>
-->

Change web.xml to-

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
        <param-name>hstsEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>hstsMaxAgeSeconds</param-name>
        <param-value>31536000</param-value>
    </init-param>
    <init-param>
        <param-name>hstsIncludeSubDomains</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
         <param-name>hstsPreload</param-name>
         <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>xssProtectionEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
  </filter-mapping>
  • Execute command "service ncm-as restart" in application server. 

Steps recommended to address "HSTS missing from HTTPS" over port 443 in application server installation:

  • Open $VOYENCE_HOME/conf/httpd.conf (keep a backup of this file in non-NCM installation path prior to making any changes) file in application server. 

  • Add below line at end of the file: 
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
  • Execute command "service ncm-as restart" in application server. 
Steps recommended to address "HSTS missing from HTTPS" over port 443 in device server installation:
  • Add below three lines at end of $VOYENCE_HOME/conf/httpd.conf file in device server-
    Header always append X-Frame-Options SAMEORIGIN
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Strict-Transport-Security "max-age=31536000" env=HTTPS
  • Execute "service vcmaster restart" in device server.

Powered by Wolken Software