how to fix Vulnerability number:34850 Web Server Uses Basic Authentication Without HTTPS

Sunhith shared this question 3 years ago
Answered

how to fix Vulnerability number:34850 Web Server Uses Basic Authentication Without HTTPS

Best Answer
photo

Hi Sunith,

Ok so this isn't a product problem that can be fixed via code, it's just a matter of configuring your environment to enable HTTPS. This is done at the application server level (e.g Tomcat). We do have some guidance here, however please keep in mind this level of configuration lies outside of application support so further assistance will need to be provided via our consulting channel.

In saying this, I know BMC already has a few platforms with HTTPS enabled so think an easy out is to ask your team to assist, as what you're after has already been done ;) .


Hope this helps and please let me know if you need any further guidance.


Regards,David

Replies (3)

photo
1

Hi Sunith,

Can I confirm this is the article you're referring to? Web Server Uses Basic Authentication Without HTTPS

If so, is there a reason to believe that there is a different solution?

I'm no security experts by any means, though my interpretation of the article is that this is 'just how it is' as it was created in 2008, and updated again in 2016, though nothing since.

Thanks,David

photo
1

Hi David,


I mean this is correct, what I need to know is whether this problem can be fixed or how it should be fixed.


Thank you,

Sunhith

photo
1

Hi Sunith,

Ok so this isn't a product problem that can be fixed via code, it's just a matter of configuring your environment to enable HTTPS. This is done at the application server level (e.g Tomcat). We do have some guidance here, however please keep in mind this level of configuration lies outside of application support so further assistance will need to be provided via our consulting channel.

In saying this, I know BMC already has a few platforms with HTTPS enabled so think an easy out is to ask your team to assist, as what you're after has already been done ;) .


Hope this helps and please let me know if you need any further guidance.


Regards,David

photo
1

I finally came across this “how to fix the Vulnerabilty….. 39850” But I think my situation is slightly different but does deal with the vulnerability ID 34850. I've deployed an Elastic-Search, ver. 8.3.2, docker container to work with a GitLab-server. The deployment of the ES container is on a separate VM from the GL-server and the configuration is setup in the Advance Search admin page for GL. Once everything is setup the search functionality on GL works fine. Now when a vulnerability scan is executed, the report exposes this message pointing to port 9200;

  • The remote web server contains web pages that are protected by 'Basic' authentication over cleartext.
  • An attacker eavesdropping the traffic might obtain logins and passwords of valid users.

The solution from the scan suggests.

  • Make sure that HTTP authentication is transmitted over HTTPS.

So, I re-configure the URL on the GL Advanced Search location

from

  • http://<host>:9200

to

Unfortunately, this resulted in a return error 500. Also, the GL help-desk staff doesn’t support the vulnerability errors on the ES for port 9200, only help with initial setup and deployment of ES.


Has anyone come across this problem? If so, what was done to mitigate the vulnerably using this configuration?

photo
photo
1

Hi Jeff,

I hope all is well and apologies for the late response in acknowledging your comments... Going forward and as you are aware this isn't a product problem of which lies outside of the Yellowfin application support, however I have kept this Question active and public to anyone who has looked at this and came a cross this before so that they can have their 5 cents on this.

Regards,

Mark

Leave a Comment
 
Attach a file