Hello Team,
I believe you are going to need to seek an exception, assuming you do not run a web server on the CIC machine (not recommended by Genesys.) I am not sure what your current version of CIC is, and maybe going to the latest and greatest will resolve this for you (i am on cic 2022 R1 - and we have not upgraded due to EOL.)
That said, Genesis uses a proprietary version of a web server in the application. It is tied to many of the functions the CIC uses, depending on your components. I will look for my doc I had to submit to get an exception in our PCI process, but you can use powershell to find the exe from the port, then you need to determine if you need that aspect of CIC
------------------------------
Christopher Becker
State of Michigan - Oakland County - WRC
------------------------------
Original Message:
Sent: 07-31-2024 17:25
From: Edgar Luque
Subject: HSTS vulnerability in CIC server
Hi!
Were you able to resolve this vulnerability? I am getting exactly the same vulnerability. I can't find a solution anywhere.
Thanks!
Edgar
------------------------------
Edgar Luque
MCAP Financial Corporation
Original Message:
Sent: 02-13-2022 01:20
From: Mohannad haddad
Subject: HSTS vulnerability in CIC server
Dears
I have curious related to security features , our customer did make a penetration test on CIC environment he found some vulnerability some of them was related to windows OS and
Others was related to CIC , I'm going to attached it with its port , could anyone tell me how I can resolve all this vulnerabilities or if we closed all listed ports does this will effect our environment
give me a hand plz ..
#Vulnerability_Points :
142960 | HSTS Missing From HTTPS Server (RFC 6797) | Medium | 8019 | The remote web server is not enforcing HSTS, as defined by RFC 6797. | The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. | Configure the remote web server to use HSTS. | No | | | Web Servers |
142960 | HSTS Missing From HTTPS Server (RFC 6797) | Medium | 8043 | The remote web server is not enforcing HSTS, as defined by RFC 6797. | The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. | Configure the remote web server to use HSTS. | No | | | Web Servers |
142960 | HSTS Missing From HTTPS Server (RFC 6797) | Medium | 8107 | The remote web server is not enforcing HSTS, as defined by RFC 6797. | The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. | Configure the remote web server to use HSTS. | No | | | Web Servers |
142960 | HSTS Missing From HTTPS Server (RFC 6797) | Medium | 8952 | The remote web server is not enforcing HSTS, as defined by RFC 6797. | The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. | Configure the remote web server to use HSTS. | No | | | Web Servers |
#ArchitectureandDesign
------------------------------
Mohannad haddad
Fourth Dimension Systems Company
------------------------------