How to remediate the Insecure Transport vulnerability for Flexera Data Platform and User Console UI
A link is functional over an insecure, HTTP connection. No redirection to HTTPS occurs.
Data sent over a non-HTTPS connection is unencrypted and vulnerable to network sniffing attacks that can expose sensitive or confidential information. This includes non-secure cookies and other potentially sensitive data contained in HTTP headers. Even if no sensitive data is transmitted, man-in-the-middle (MITM) attacks are possible over non-HTTPS connections. An attacker who exploits MITM can intercept and change the conversation between the client (e.g., web browser, mobile device, etc.) and the server.
The security vulnerability can be fixed by disabling HTTP and enabling HTTPS on IIS settings only. Flexera cannot directly modify the existing IIS host settings, since the users may have some other applications deployed on the same IIS. The below is a manual instruction to update the settings to remediate the insecure vulnerability.
- Open IIS settings on Data Platform and User Console respectively
- Browse to the web site where Data Platform or User Console is installed to, the default is "Default Web Site"
- Open "Bindings" in Action panel
- Remove HTTP bindings from the list and keep HTTPS only.
- Re-run Data Platform and User Console Configure Wizard to update the website protocol from HTTP to HTTPS.