This chapters provides information on security enhancments in Network Communication Manager.
The following 3rd party components are upgraded for Network Communication Manager 10.1.3, to address multiple security vulnerabilities:
- Java is upgraded to OpenJDK 11.0.8.
- With Java 11.0.8 update, NCM is enhanced with NCM UI installer which helps to launch the NCM UI.
- Tomcat is upgraded to 9.0.38.
- Dom4j is upgraded to 2.1.3.
- ActiveMQ is upgraded to 5.16.0.
- Gsoap is upgraded to 2.8.104.
- Boost Library is upgraded to 1.70.
Following Security Enhancements and Hardening issues has been addressed as part of NCM 10.1.3 release:
- Cross-Frame scripting issue is reported for setupmgr in Device Server.
- Cross-Frame scripting issue in Report Advisor web page when launched using port 8443
- Cross-Site Scripting is reported in SysAdmin for the ServerPath field
Following Security Enhancements and Hardening issues has been addressed as part of NCM 10.1.1 release:
- Cross Site Scripting issues addressed for the following URLs in SysAdmin Console web page:
/SysAdmin/console/ServerUtilization.jsp?serverName=<ServerName>
/SysAdmin/console/ServiceDetails.jsp?serverName=<ServerName>&serviceName=<ServiceName>
/SysAdmin/console/SaveNotificationSetup.jsp [emails parameter]
- NCM 10.1.1.0 enforces an additional security constraint to use a minimum of 15-character password length (STIG V-69555).
- PostgreSQL STIG hardening issues has been addressed in NCM. For more information refer, PostgreSQL STIG Hardening Fixed Issues in 10.1.1.
Following Security Enhancements and Hardening issues has been addressed as part of 10.1.0 release:
- TLS 1.1 and TLS 1.0 protocols has been disabled and only TLS 1.2 protocol has been enabled in NCM. Also all the Low cipher suites including RC4, DES and 3DES has been disabled.
SSLProtocol="-TLSv1-TLSv1.1+TLSv1.2" SSLCipherSuite="RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH:!3DES"
- The http access to SysAdmin Console has been disabled and all the http requests are redirected to https.
http://<NCM_IP>:8080/SysAdmin URL is redirected to https://<NCM_IP>:8443/SysAdmin
- Apache Tomcat and Apache http server has been hardened to address some of the security issues related to Cross Site scripting, Cross Frame scripting and Strict transport security in NCM.
- The directory listing has been disabled for the following URLs:
https://<NCM_IP>:443/cgi-bin/
https://<NCM_IP>:443/icons/
https://<NCM_IP>:443/tmp/
https://<NCM_IP>:443/images/
https://<NCM_IP>:443/web/
https://<NCM_IP>:443/lib/
https://<NCM_IP>:443/icons/small/
https://<NCM_IP>:443/WEB-INF/lib/
https://<NCM_IP>:443/WEB-INF/
https://<NCM_IP>:443/app/
https://<NCM_IP>:443/help/
- Apache STIG hardening issues has been addressed in NCM. For more information refer, Apache STIG Hardening Fixed Issues in 10.1.1.