Environment
ZENworks Configuration Management 2017
ZENworks Configuration Management 2020
Service Desk 8.1.2
ZENworks Configuration Management 2020
Service Desk 8.1.2
Situation
Qualsys Scan failing 11827 "HTTP Security Header Not detected" on the ZCM Primary Server Or ZRS Appliance.
It also affects ZCM System Update port 7444 when a System Update task for the Primary Servers or Satellite Servers are running.
It also affects ZCM System Update port 7444 when a System Update task for the Primary Servers or Satellite Servers are running.
ZSD fails with error
javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version
Resolution
ZSD
Fixed in v8.2
Fix w/FTF 144069 (new livetime.jar) in v8.1.2
ZCM & ZRS
This is a fix specific to this Qualsys Scan failing with HTTP Security Header Not detected.
The following are steps required to make the necessary modifications for scan to be successful.
May need to reapply after upgrading to later ZCM version.
ZCM 2020 UpdateX affects port 7444.
For ZENworks Reporting v7.2
Modify the file: /opt/novell/zenworks-reporting/js/apache-tomcat/conf/web.xml
Add the Following filter and filter-mapping.
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter-mapping><filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
For ZCM Primary Server
Port 7444 System Update port is a separate issue:
ZeUSJettyServerModule listens on port 7444 to which the admin can connect and track the System Update progress.
This port is not open all the time, only at the time that particular Primary Server is running a System Update task for a Primary or Satellite Server.
ZeUSJettyServerModule listens on port 7444 to which the admin can connect and track the System Update progress.
This port is not open all the time, only at the time that particular Primary Server is running a System Update task for a Primary or Satellite Server.
ZCM 2020 UpdateX - Modify the zeus.conf file with the following lines to protect 7444 from the vulnerability and restart the zeus service.
jetty-enable-sts=true
jetty-excluded-protocols=TLSv1.1,TLSv1.0
For 20.1 and prior
Other Ports
Modify three files: web.xml, index.jsp, Login.jsp
Add the below mentioned init-param filter and filter-mapping for file:
<ZENworks_Home>\Novell\ZENworks\share\tomcat\conf\web.xml
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Modify the file:
<ZENworks_Home>\Novell\ZENworks\share\tomcat\webapps\zenworks\jsp\index.jsp
response.setHeader("X-XSS-Protection", "0");
to
response.setHeader("X-XSS-Protection", "1; mode=block");
Also add the line:
response.setHeader("Content-Security-Policy", "default-src https: data: 'unsafe-eval' 'unsafe-inline'");
Comment the below line:
// response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );
Modify the file:
<ZENworks_Home>\Novell\ZENworks\share\tomcat\webapps\zenworks\jsp\fw\internal\Login.jsp
Add the below lines:
response.setHeader("X-XSS-Protection", "1; mode=block");
response.setHeader("Content-Security-Policy", "default-src https: data: 'unsafe-eval' 'unsafe-inline'");
Comment the below line:
// response.addHeader("X-FRAME-OPTIONS", "SAMEORIGIN" );
For 20.2:
Other Ports
Modify web.xml, zenserversettings.sh(Linux) and ZENServerW (Windows)
Add the below mentioned init-param filter and filter-mapping for file:
On Linux Server:
/opt/microfocus/zenworks/share/tomcat/conf/
On Windows Server:
<ZENSERVER_HOME>\services\zenserver\conf\
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
On a Linux Primary Server:
Open /opt/microfocus/zenworks/bin/zenserversettings.sh:
To enable HSTS, set EnableHSTS property to true on the following line:
JAVA_EXTRA_OPTION="$HEAP_DUMP_OPTIONS $ZEN_PROBE_OPTS $ZEN_JVM_TRUSTSTORE_OPTS $ZEN_JMX_OPTS -DEnableHSTS=true"
To disable HSTS, set EnableHSTS property to false on the following line:
JAVA_EXTRA_OPTION="$HEAP_DUMP_OPTIONS $ZEN_PROBE_OPTS $ZEN_JVM_TRUSTSTORE_OPTS $ZEN_JMX_OPTS -DEnableHSTS=false"
On a Windows Primary Server:
Go to %ZENSERVER_HOME%\bin directory (eg: C:\Program Files (x86)\Micro Focus\ZENworks\bin).
Double click the file ZENServerW. Under Java tab, add following lines at the end of the "Java Options" section as a new line:
To enable HSTS:
-DEnableHSTS=true
To disable HSTS:
-DEnableHSTS=false
Cause
By default many web servers do not set the security headers as scanning tools have set a minimum secure.
Verification testing is in the Additional Comments below.
Additional Information
Qualsys ID 11827
This QID is reported when the following HTTP headers are missing X-Frame-Options, X-XSS-Protections HTTPand the X-Content-Type-Options.
Please make a request for the starting URI in your web application and check its response headers are using a proxy.
Please make a request for the starting URI in your web application and check its response headers are using a proxy.
- One or more of the above headers must be missing in the response.
X-Frame-Options response header is used to secure applications against clickjacking vulnerability. A web application is protected against the clickjacking vulnerability if the response page for any link on the site has the above HTTP response header set. In order for the page to be protected the value for X-Frame-Options should either be either DENY or SAMEORIGIN and it is not case sensitive.
- X-XSS-Protection HTTP header enables the XSS filter on the browser to prevent cross-site scripting attacks.
- X-Content-Type-Options HTTP header is used to prevent attacks based on MIME-type mismatch. If this header is set, the content type specified in this header is taken in to consideration during interpretation of the content. "