VMware Smart Assurance SMARTS : Security scans are reporting HSTS vulnerability issue on ports used by the Smarts services/domains
Article ID: 345357
Updated On:
Products
VMware
Issue/Introduction
Symptoms:
Security scans report the following: "Vulnerabilities in HSTS Missing From HTTPS Server is a Medium risk vulnerability that is one of the most frequently found on networks around the world. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections."
Security scans report the following: "Vulnerabilities in HSTS Missing From HTTPS Server is a Medium risk vulnerability that is one of the most frequently found on networks around the world. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections."
Environment
VMware Smart Assurance - SMARTS
Resolution
The HTTP port that smarts uses is different from other web-based application that exclusively use it. The HTTP port is merely used by the domain for the initial hand shake between the smarts clients and other domain manager interaction.
In simple terms, Smarts does use the HTTP port for its own purpose and does not follow the global notion protocol. This vulnerability can be ignored.
Additional Information
Impact/Risks:
There is no cookie concept within the Smarts application and hence this vulnerability has no impact to Smarts.
Feedback
Yes
No
Powered by
