This chapters provides information on security enhancments in Network Communication Manager.

The following 3rd party components are upgraded for Network Communication Manager 10.1.1, to address multiple security vulnerabilities:

  • Java is upgraded to OpenJDK 11.0.6.
    • With Java 11.0.6 update, NCM is enhanced with NCM UI installer which helps to launch the NCM UI.
  • Tomcat is upgraded to 9.0.33.
  • Xerces-C is upgraded to 3.2.2.
  • Xalan-C is upgraded to 1.11.1.
  • Groovy is upgraded to 2.5.6.
  • Grails is upgraded to 4.0.0.
  • Spring Framework is upgraded to 5.1.9.
  • Spring Security is upgraded to 5.1.6.
  • Hibernate is upgraded to 5.3.10.
  • Ehcache is upgraded to 3.8.0.
  • Netbeans is upgraded to RELEASE111.
  • OpenSSL is upgraded to 1.1.1g.
  • PostgreSQL is upgraded to 11.5.
Following Security Enhancements and Hardening issues has been addressed as part of NCM 10.1.1 release:
  • Cross Site Scripting issues addressed for the following URLs in SysAdmin Console web page:

    /SysAdmin/console/ServerUtilization.jsp?serverName=<ServerName>

    /SysAdmin/console/ServiceDetails.jsp?serverName=<ServerName>&serviceName=<ServiceName>

    /SysAdmin/console/SaveNotificationSetup.jsp [emails parameter]

  • NCM 10.1.1.0 enforces an additional security constraint to use a minimum of 15-character password length (STIG V-69555).
  • PostgreSQL STIG hardening issues has been addressed in NCM. For more information refer, PostgreSQL STIG Hardening Fixed Issues.
Following Security Enhancements and Hardening issues has been addressed as part of 10.1.0 release:
  • TLS 1.1 and TLS 1.0 protocols has been disabled and only TLS 1.2 protocol has been enabled in NCM. Also all the Low cipher suites including RC4, DES and 3DES has been disabled.
    SSLProtocol="-TLSv1-TLSv1.1+TLSv1.2"
    SSLCipherSuite="RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH:!3DES"
  • The http access to SysAdmin Console has been disabled and all the http requests are redirected to https.
    http://<NCM_IP>:8080/SysAdmin URL is redirected to https://<NCM_IP>:8443/SysAdmin
  • Apache Tomcat and Apache http server has been hardened to address some of the security issues related to Cross Site scripting, Cross Frame scripting and Strict transport security in NCM.
  • The directory listing has been disabled for the following URLs:

    https://<NCM_IP>:443/cgi-bin/

    https://<NCM_IP>:443/icons/

    https://<NCM_IP>:443/tmp/

    https://<NCM_IP>:443/images/

    https://<NCM_IP>:443/web/

    https://<NCM_IP>:443/lib/

    https://<NCM_IP>:443/icons/small/

    https://<NCM_IP>:443/WEB-INF/lib/

    https://<NCM_IP>:443/WEB-INF/

    https://<NCM_IP>:443/app/

    https://<NCM_IP>:443/help/