Content cache headers missing in responses from VMware Cloud Director Availability
Article ID: 412227
Updated On:
Products
Issue/Introduction
- Security scans of the following VMware Cloud Director Availability public endpoint URLs warn that they may be vulnerable to information leakage due to SSL information being cached to disk:
https://###.###.###.###/ui/login
https://###.###.###.###/ui/admin - When reviewing the headers for these pages, the following items are not present:
Cache-Control: no-cache, no-store
Pragma: no-cache
Environment
VMware Cloud Director Availability 4.7.x
Cause
This is known limitation in VMware Cloud Availability.
Resolution
These headers cannot be manually adjusted within VMware Cloud Director Availability and this is being considered for change in a future version of the product. In order to reduce potential exposure, administrative access can be restricted for public addresses, as discussed in the following document:
Allow admin access from anywhere
Otherwise, external mitigations would be required, if this behavior must be addressed.
Additional Information
These two pages (/ui/admin and /ui/login) are simple shell documents that load javascript files, which then perform the appropriate work. All assets loaded by these pages (i.e., js files, css files, etc.) and API endpoints called (e.g., sessions) have the following headers, which would provide a mitigation to this concern:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
To validate the caching behavior, simple tests, such as the one suggested in the following can be performed:
https://github.com/OWASP/www-project-web-security-testing-guide/blob/master/v41/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses.md
Feedback
