cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jbforster
Level 4

Vulnerability with lmadmin (v11.14.1)

Jump to solution

Hello,

We are using 3rd party software, where lmadmin is resulting in multiple vulnerability scan observation. To name a few:

X-XSS-Protection HTTP Header missing on port 443.
GET / HTTP/1.1
Host: XXX.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 05 Aug 2020 18:38:21 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Mon, 04 Nov 2019 21:13:43 GMT
Accept-Ranges: bytes
Content-Length: 84
Keep-Alive: timeout=15, max=96
Connection: Keep-Alive
Content-Type: text/html
X-Content-Type-Options HTTP Header missing on port 443.

---
Qualys finding: 8090
X-Content-Type-Options HTTP Header missing on port 8090.
GET / HTTP/1.1
Host: XXXX:8090
Connection: Keep-Alive

===========================================

Can you confirm if these issues are fixed in latest release?

0 Kudos
(1) Solution
aparashar1
Flexera Alumni

@jbforster , this is a known observation on older version of lmadmin. Majority of these vulnerabilities have been fixed in FNP-11.17.0 release. However, one vulnerability for " " is still under assessment and engineering might fix it in future releases.

As a workaround for older version of lmadmin, the following workaround can possibly be used to include, (at lmadmin startup), the required extra Apache httpd directives from another user-provided configuration file, into the "conf/httpd.conf" generated by lmadmin at startup.

In "conf/server.xml", the license administrator needs to append the following attribute - includeHttpdConfigFile="conf\sampleExtra.conf" - for the "configuration->webServer" XML element as shown below.

<webServer documentRoot="web" logRoot="logs" maxRequestSize="4" maxThreads="10" pageSize="20" port="8099" redirectHTTP="false" securePort="0" includeHttpdConfigFile="conf\sampleExtra.conf">

 

And, the contents of "conf\sampleExtra.conf" file can be something like as follows:

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options: nosniff
(If my response assists with your questions , then please click "ACCEPT AS SOLUTION" or 'Kudos' so that it help others.)

View solution in original post

0 Kudos
(1) Reply
aparashar1
Flexera Alumni

@jbforster , this is a known observation on older version of lmadmin. Majority of these vulnerabilities have been fixed in FNP-11.17.0 release. However, one vulnerability for " " is still under assessment and engineering might fix it in future releases.

As a workaround for older version of lmadmin, the following workaround can possibly be used to include, (at lmadmin startup), the required extra Apache httpd directives from another user-provided configuration file, into the "conf/httpd.conf" generated by lmadmin at startup.

In "conf/server.xml", the license administrator needs to append the following attribute - includeHttpdConfigFile="conf\sampleExtra.conf" - for the "configuration->webServer" XML element as shown below.

<webServer documentRoot="web" logRoot="logs" maxRequestSize="4" maxThreads="10" pageSize="20" port="8099" redirectHTTP="false" securePort="0" includeHttpdConfigFile="conf\sampleExtra.conf">

 

And, the contents of "conf\sampleExtra.conf" file can be something like as follows:

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options: nosniff
(If my response assists with your questions , then please click "ACCEPT AS SOLUTION" or 'Kudos' so that it help others.)
0 Kudos