CWE-693 missing HTTP response headers flagged against Tanzu MySQL port 9201
search cancel

CWE-693 missing HTTP response headers flagged against Tanzu MySQL port 9201

book

Article ID: 400908

calendar_today

Updated On: 06-12-2025

Products

VMware Tanzu Platform VMware Tanzu Application Service

Issue/Introduction

A security scanner (such as Qualys) is flagging port 9201 on a MySQL node within our Tanzu Application Service (TAS/PCF) foundation as vulnerable due to missing HTTP response headers (e.g., Strict-Transport-Security, X-Content-Type-Options). The scan maps this to CWE-693: Protection Mechanism Failure.

Resolution

The issue raised is concerning HTTP headers for the galera-agent service for MySQL. This internal service reports on the health of a running MySQL instance.

  • The communication is encrypted using mTLS.
  • The data being transmitted is not sensitive. It is a health check on a MySQL instance.
  • The service is running internally, behind a firewall and not exposed to the public.

The flagged vulnerability relates to missing HTTP security headers, which are designed for browser-facing applications. Since this is a private, internal service not exposed to browsers, these headers are not relevant or expected. Thus this vulnerability can be treated as a false positive and safely disregarded.