PureConnect

 View Only

Discussion Thread View
  • 1.  HSTS vulnerability in CIC server

    Posted 02-14-2022 09:04
    Dears 

    I have curious related to security features , our customer  did make a penetration test on CIC environment he found some vulnerability some of them was related to windows OS and 

    Others was related to CIC , I'm going to attached it with its port ,  could anyone  tell me how I can resolve all this vulnerabilities or if we closed all listed ports does this will effect our environment 

    give me a hand plz ..


    #Vulnerability_Points :


    142960 HSTS Missing From HTTPS Server (RFC 6797) Medium 8019 The remote web server is not enforcing HSTS, as defined by RFC 6797. The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. Configure the remote web server to use HSTS. No     Web Servers
    142960 HSTS Missing From HTTPS Server (RFC 6797) Medium 8043 The remote web server is not enforcing HSTS, as defined by RFC 6797. The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. Configure the remote web server to use HSTS. No     Web Servers
    142960 HSTS Missing From HTTPS Server (RFC 6797) Medium 8107 The remote web server is not enforcing HSTS, as defined by RFC 6797. The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. Configure the remote web server to use HSTS. No     Web Servers
    142960 HSTS Missing From HTTPS Server (RFC 6797) Medium 8952 The remote web server is not enforcing HSTS, as defined by RFC 6797. The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. Configure the remote web server to use HSTS. No     Web Servers
     ​
    #ArchitectureandDesign

    ------------------------------
    Mohannad haddad
    Fourth Dimension Systems Company
    ------------------------------


  • 2.  RE: HSTS vulnerability in CIC server

    Posted 07-31-2024 17:26

    Hi!

    Were you able to resolve this vulnerability? I am getting exactly the same vulnerability. I can't find a solution anywhere.

    Thanks!

    Edgar



    ------------------------------
    Edgar Luque
    MCAP Financial Corporation
    ------------------------------



  • 3.  RE: HSTS vulnerability in CIC server

    Posted 08-01-2024 10:41

    Hello Team,

    I believe you are going to need to seek an exception, assuming you do not run a web server on the CIC machine (not recommended by Genesys.)  I am not sure what your current version of CIC is, and maybe going to the latest and greatest will resolve this for you (i am on cic 2022 R1 - and we have not upgraded due to EOL.)  

    That said, Genesis uses a proprietary version of a web server in the application. It is tied to many of the functions the CIC uses, depending on your components.  I will look for my doc I had to submit to get an exception in our PCI process, but you can use powershell to find the exe from the port, then you need to determine if you need that aspect of CIC



    ------------------------------
    Christopher Becker
    State of Michigan - Oakland County - WRC
    ------------------------------



  • 4.  RE: HSTS vulnerability in CIC server

    Posted 08-01-2024 11:56

    Hi Christopher,

    That's right, I am not running any web server on the CIC servers.

    I will seek for an exception then. Just as you mentioned it, I believe that a newer CIC version may resolve that vulnerability.

    Thank you!



    ------------------------------
    Edgar Luque
    MCAP Financial Corporation
    ------------------------------



Need Help finding something?

Check out the Genesys Knowledge Network - your all-in-one access point for Genesys resources