DX NetOps Spectrum Vulnerability to CWE ID 296
search cancel

DX NetOps Spectrum Vulnerability to CWE ID 296

book

Article ID: 385022

calendar_today

Updated On:

Products

Network Observability Spectrum

Issue/Introduction

Veraacode scan of Spectrum raises the following vulnerability:

CWE-296: Improper Following of a Certificate's Chain of Trust

How can this be mitigated against?

Environment

DX NetOps Spectrum 23.3.x

Cause

Resolution

Modify the $SPECROOT/tomcat/conf/server.xml on the Spectrum OneClick server and set the following in the in the <Connector> section for https:

 certificateVerification="required"

For example:

    <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->

      <Connector

             port="8443"

             URIEncoding="UTF-8" maxHttpHeaderSize="8192"

             maxThreads="150" minSpareThreads="25"

             enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true"

             acceptCount="100" connectionTimeout="20000"

             scheme="https" secure="true" SSLEnabled="true"

             clientAuth="false" sslProtocol="TLS"

             sslEnabledProtocols="TLSv1.2,TLSv1.3"

             ciphers="TLS_AES_128_GCM_SHA256,

                      TLS_AES_256_GCM_SHA384,

                      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,

                      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

                      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

                      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,

                      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

                      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"

             keystoreFile=custom/keystore/cacerts"

             keystorePass="changeit"

          certificateVerification="required"/>

   

 

After which, restart the Spectrum tomcat service for it to take effect.