This chapters provides information on security enhancments in Network Communication Manager.

The following 3rd party components are upgraded for Network Communication Manager to address multiple security vulnerabilities:

  • Java is upgraded to 1.8u212.
  • Apache Tomcat is upgraded to 9.0.20.
  • Common-Collections is upgraded to 3.2.2.
Following Security Enhancements and Hardening issues has been addressed as part of this release:
  • TLS 1.1 and TLS 1.0 protocols has been disabled and only TLS 1.2 protocol has been enabled in NCM. Also all the Low cipher suites including RC4, DES and 3DES has been disabled.
    SSLProtocol="-TLSv1-TLSv1.1+TLSv1.2"
    SSLCipherSuite="RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH:!3DES"
  • The http access to SysAdmin Console has been disabled and all the http requests are redirected to https.
    http://<NCM_IP>:8080/SysAdmin URL is redirected to https://<NCM_IP>:8443/SysAdmin
  • Apache Tomcat and Apache http server has been hardened to address some of the security issues related to Cross Site scripting, Cross Frame scripting and Strict transport security in NCM
  • The directory listing has been disabled for the following URLs:

    https://<NCM_IP>:443/cgi-bin/

    https://<NCM_IP>:443/icons/

    https://<NCM_IP>:443/tmp/

    https://<NCM_IP>:443/images/

    https://<NCM_IP>:443/web/

    https://<NCM_IP>:443/lib/

    https://<NCM_IP>:443/icons/small/

    https://<NCM_IP>:443/WEB-INF/lib/

    https://<NCM_IP>:443/WEB-INF/

    https://<NCM_IP>:443/app/

    https://<NCM_IP>:443/help/