- Revenera Community
- :
- FlexNet Publisher
- :
- FlexNet Publisher Forum
- :
- Vulnerability with lmadmin (v11.14.1)
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hello,
We are using 3rd party software, where lmadmin is resulting in multiple vulnerability scan observation. To name a few:
X-XSS-Protection HTTP Header missing on port 443.
GET / HTTP/1.1
Host: XXX.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 05 Aug 2020 18:38:21 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Mon, 04 Nov 2019 21:13:43 GMT
Accept-Ranges: bytes
Content-Length: 84
Keep-Alive: timeout=15, max=96
Connection: Keep-Alive
Content-Type: text/html
X-Content-Type-Options HTTP Header missing on port 443.
—
---
Qualys finding: 8090
X-Content-Type-Options HTTP Header missing on port 8090.
GET / HTTP/1.1
Host: XXXX:8090
Connection: Keep-Alive
===========================================
Can you confirm if these issues are fixed in latest release?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
@jbforster , this is a known observation on older version of lmadmin. Majority of these vulnerabilities have been fixed in FNP-11.17.0 release. However, one vulnerability for " " is still under assessment and engineering might fix it in future releases.
As a workaround for older version of lmadmin, the following workaround can possibly be used to include, (at lmadmin startup), the required extra Apache httpd directives from another user-provided configuration file, into the "conf/httpd.conf" generated by lmadmin at startup.
In "conf/server.xml", the license administrator needs to append the following attribute - includeHttpdConfigFile="conf\sampleExtra.conf" - for the "configuration->webServer" XML element as shown below.
<webServer documentRoot="web" logRoot="logs" maxRequestSize="4" maxThreads="10" pageSize="20" port="8099" redirectHTTP="false" securePort="0" includeHttpdConfigFile="conf\sampleExtra.conf">
And, the contents of "conf\sampleExtra.conf" file can be something like as follows:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set X-XSS-Protection "1; mode=block" Header always set X-Content-Type-Options: nosniff
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
@jbforster , this is a known observation on older version of lmadmin. Majority of these vulnerabilities have been fixed in FNP-11.17.0 release. However, one vulnerability for " " is still under assessment and engineering might fix it in future releases.
As a workaround for older version of lmadmin, the following workaround can possibly be used to include, (at lmadmin startup), the required extra Apache httpd directives from another user-provided configuration file, into the "conf/httpd.conf" generated by lmadmin at startup.
In "conf/server.xml", the license administrator needs to append the following attribute - includeHttpdConfigFile="conf\sampleExtra.conf" - for the "configuration->webServer" XML element as shown below.
<webServer documentRoot="web" logRoot="logs" maxRequestSize="4" maxThreads="10" pageSize="20" port="8099" redirectHTTP="false" securePort="0" includeHttpdConfigFile="conf\sampleExtra.conf">
And, the contents of "conf\sampleExtra.conf" file can be something like as follows:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set X-XSS-Protection "1; mode=block" Header always set X-Content-Type-Options: nosniff