how to fix Vulnerability number:34850 Web Server Uses Basic Authentication Without HTTPS

Hi Sunith,

Ok so this isn't a product problem that can be fixed via code, it's just a matter of configuring your environment to enable HTTPS. This is done at the application server level (e.g Tomcat). We do have some guidance here, however please keep in mind this level of configuration lies outside of application support so further assistance will need to be provided via our consulting channel.

In saying this, I know BMC already has a few platforms with HTTPS enabled so think an easy out is to ask your team to assist, as what you're after has already been done ;) .

Hope this helps and please let me know if you need any further guidance.

Regards,David

I finally came across this “how to fix the Vulnerabilty….. 39850” But I think my situation is slightly different but does deal with the vulnerability ID 34850. I've deployed an Elastic-Search, ver. 8.3.2, docker container to work with a GitLab-server. The deployment of the ES container is on a separate VM from the GL-server and the configuration is setup in the Advance Search admin page for GL. Once everything is setup the search functionality on GL works fine. Now when a vulnerability scan is executed, the report exposes this message pointing to port 9200;

• The remote web server contains web pages that are protected by 'Basic' authentication over cleartext.
• An attacker eavesdropping the traffic might obtain logins and passwords of valid users.

The solution from the scan suggests.

• Make sure that HTTP authentication is transmitted over HTTPS.

So, I re-configure the URL on the GL Advanced Search location

from

• http://<host>:9200

to

• https://<host>:9200

Unfortunately, this resulted in a return error 500. Also, the GL help-desk staff doesn’t support the vulnerability errors on the ES for port 9200, only help with initial setup and deployment of ES.

Has anyone come across this problem? If so, what was done to mitigate the vulnerably using this configuration?