A Qualys security scan on DX NetOps Performance Management (CAPM) servers reports a vulnerability under QID-19568. The scan identifies a MySQL instance listening on TCP port 3306 and recommends encrypting database information or handling errors that might disclose sensitive information such as the database type or version.

• Product: DX NetOps Performance Management (CAPM)
• Component: Portal / Data Aggregator MySQL Database
• Version: All Supported Releases

The Qualys scan (QID-19568) is a generic detection for MySQL services running on their default port. In the DX NetOps Performance Management architecture, the MySQL service is required to listen on port 3306 for inter-service database communication. Disabling this port or preventing the service from listening would cause the application to fail.

This finding is considered a False Positive for the following reasons:

1. Required Port: Port 3306 is essential for the functionality of the CAPM database and cannot be disabled.
2. Encryption: All communications handled by the application to and from port 3306 are encrypted in transit.
3. Internal Use: The service is intended for internal application communication and should be protected by your organizational firewalls from external access.

No remediation action is required. This information can be used to document an exception for the security scan.

The 4 properties files(PC, DM, EM, SSO)  all have db.url that has:

db.url=jdbc:mysql://localhost:3306/netqosportal?characterEncoding=UTF-8&useSSL=true&verifyServerCertificate=false

useSSL=true. We skip validating the self-signed cert that mysql creates on install.

So all our communication is over TLS to MySQL.