New Topic
CommunityTopicQuestionIntegration
Following
photo
David Registro
APAC SD Team
photo
Mark McGuire
EMEA SD Team
Assigned
Properties
Category Integration
Product Version 8.0

how to fix Vulnerability number:34850 Web Server Uses Basic Authentication Without HTTPS

Sunhith shared this question 2 years ago
Answered

how to fix Vulnerability number:34850 Web Server Uses Basic Authentication Without HTTPS

1 The same question
Best Answer
photo
David Registro 2 years ago

Hi Sunith,

Ok so this isn't a product problem that can be fixed via code, it's just a matter of configuring your environment to enable HTTPS. This is done at the application server level (e.g Tomcat). We do have some guidance here, however please keep in mind this level of configuration lies outside of application support so further assistance will need to be provided via our consulting channel.

In saying this, I know BMC already has a few platforms with HTTPS enabled so think an easy out is to ask your team to assist, as what you're after has already been done ;) .


Hope this helps and please let me know if you need any further guidance.


Regards,David

Replies (3)

photo
1
David Registro 2 years ago

Hi Sunith,

Can I confirm this is the article you're referring to? Web Server Uses Basic Authentication Without HTTPS

If so, is there a reason to believe that there is a different solution?

I'm no security experts by any means, though my interpretation of the article is that this is 'just how it is' as it was created in 2008, and updated again in 2016, though nothing since.

Thanks,David

Reply
photo
1
Sunhith 2 years ago

Hi David,


I mean this is correct, what I need to know is whether this problem can be fixed or how it should be fixed.


Thank you,

Sunhith

Reply
photo
1
David Registro 2 years ago

Hi Sunith,

Ok so this isn't a product problem that can be fixed via code, it's just a matter of configuring your environment to enable HTTPS. This is done at the application server level (e.g Tomcat). We do have some guidance here, however please keep in mind this level of configuration lies outside of application support so further assistance will need to be provided via our consulting channel.

In saying this, I know BMC already has a few platforms with HTTPS enabled so think an easy out is to ask your team to assist, as what you're after has already been done ;) .


Hope this helps and please let me know if you need any further guidance.


Regards,David

photo
1
jeff 10 months ago

I finally came across this “how to fix the Vulnerabilty….. 39850” But I think my situation is slightly different but does deal with the vulnerability ID 34850. I've deployed an Elastic-Search, ver. 8.3.2, docker container to work with a GitLab-server. The deployment of the ES container is on a separate VM from the GL-server and the configuration is setup in the Advance Search admin page for GL. Once everything is setup the search functionality on GL works fine. Now when a vulnerability scan is executed, the report exposes this message pointing to port 9200;

  • The remote web server contains web pages that are protected by 'Basic' authentication over cleartext.
  • An attacker eavesdropping the traffic might obtain logins and passwords of valid users.

The solution from the scan suggests.

  • Make sure that HTTP authentication is transmitted over HTTPS.

So, I re-configure the URL on the GL Advanced Search location

from

  • http://<host>:9200

to

Unfortunately, this resulted in a return error 500. Also, the GL help-desk staff doesn’t support the vulnerability errors on the ES for port 9200, only help with initial setup and deployment of ES.


Has anyone come across this problem? If so, what was done to mitigate the vulnerably using this configuration?

photo
photo
1
Mark McGuire 7 months ago

Hi Jeff,

I hope all is well and apologies for the late response in acknowledging your comments... Going forward and as you are aware this isn't a product problem of which lies outside of the Yellowfin application support, however I have kept this Question active and public to anyone who has looked at this and came a cross this before so that they can have their 5 cents on this.

Regards,

Mark

Reply
Leave a Comment
 
Attach a file