This chapters provides information on security enhancments in Network Communication Manager.

The following 3rd party components are upgraded for Network Communication Manager 10.1.4, to address multiple security vulnerabilities:

  • Postgress is upgraded to 13.1.
  • Spring-framework is upgraded to 5.3.1.
  • Spring-Security is upgraded to 5.4.1.
  • BouncyCastle is upgraded to 1.68.
  • Jackson-databind is upgraded to 2.11.4.
Following Security Enhancements and Hardening issues has been addressed as part of NCM 10.1.4 release:
  • Cross-site scripting issue is reported in setupmgr.
Following Security Enhancements and Hardening issues has been addressed as part of NCM 10.1.3 release:
  • Cross-Frame scripting issue is reported for setupmgr in Device Server.
  • Cross-Frame scripting issue in Report Advisor web page when launched using port 8443
  • Cross-Site Scripting is reported in SysAdmin for the ServerPath field
Following Security Enhancements and Hardening issues has been addressed as part of NCM 10.1.1 release:
  • Cross Site Scripting issues addressed for the following URLs in SysAdmin Console web page:

    /SysAdmin/console/ServerUtilization.jsp?serverName=<ServerName>

    /SysAdmin/console/ServiceDetails.jsp?serverName=<ServerName>&serviceName=<ServiceName>

    /SysAdmin/console/SaveNotificationSetup.jsp [emails parameter]

  • NCM 10.1.1.0 enforces an additional security constraint to use a minimum of 15-character password length (STIG V-69555).
  • PostgreSQL STIG hardening issues has been addressed in NCM. For more information refer, PostgreSQL STIG Hardening Fixed Issues in 10.1.1.
Following Security Enhancements and Hardening issues has been addressed as part of 10.1.0 release:
  • TLS 1.1 and TLS 1.0 protocols has been disabled and only TLS 1.2 protocol has been enabled in NCM. Also all the Low cipher suites including RC4, DES and 3DES has been disabled.
    SSLProtocol="-TLSv1-TLSv1.1+TLSv1.2"
    SSLCipherSuite="RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH:!3DES"
  • The http access to SysAdmin Console has been disabled and all the http requests are redirected to https.
    http://<NCM_IP>:8080/SysAdmin URL is redirected to https://<NCM_IP>:8443/SysAdmin
  • Apache Tomcat and Apache http server has been hardened to address some of the security issues related to Cross Site scripting, Cross Frame scripting and Strict transport security in NCM.
  • The directory listing has been disabled for the following URLs:

    https://<NCM_IP>:443/cgi-bin/

    https://<NCM_IP>:443/icons/

    https://<NCM_IP>:443/tmp/

    https://<NCM_IP>:443/images/

    https://<NCM_IP>:443/web/

    https://<NCM_IP>:443/lib/

    https://<NCM_IP>:443/icons/small/

    https://<NCM_IP>:443/WEB-INF/lib/

    https://<NCM_IP>:443/WEB-INF/

    https://<NCM_IP>:443/app/

    https://<NCM_IP>:443/help/