Fibre Channel (SAN)

Reply
Contributor
Posts: 23
Registered: ‎09-26-2011

Security Issue on a switch FC (Apache HTTP Server httpOnly Cookie Information Disclosure)

Hi mates?

Security team has informed to me about this warning "Apache HTTP Server httpOnly Cookie Information Disclosure"

Switch Details:

Switch info

Firmware Version

Interface web disable

 

http://oi57.tinypic.com/2u5yply.jpg

http://oi57.tinypic.com/15ehi0j.jpg

http://oi57.tinypic.com/15npv7s.jpg

 

Could someone tell me how to fix it?? Should I do an upgrade?? which version?

Thanks!!

 

PD: I thing I could be a false positive

 

 

Contributor
Posts: 23
Registered: ‎09-26-2011

Re: Security Issue on a switch FC (Apache HTTP Server httpOnly Cookie Information Disclosure)

any update?

Frequent Contributor
Posts: 130
Registered: ‎02-05-2014

Re: Security Issue on a switch FC (Apache HTTP Server httpOnly Cookie Information Disclosure)

I see often that so called "security experts" run a network-wide scan and then throw all these sorts of messages at the respective departements.

 

They should provide more information like which http daemon (apache,nginx,iis etc) is susceptible including the versions affected and which version does include the fix.

 

There have been a fair number of FOS upgrades related to bash and http security issues and these have been resolved in subsequent fos upgrades. if you run 6.4.3e or 7.3.1a you should be OK.

 

If you know which software package is susceptible you can check here  for the specific package and see if it has been resolved in newer FOS releases.

Kind regards,
Erwin van Londen
Brocade Distinguished Architect
http://www.erwinvanlonden.net The Fibre Channel blog


Contributor
Posts: 23
Registered: ‎09-26-2011

Re: Security Issue on a switch FC (Apache HTTP Server httpOnly Cookie Information Disclosure)

Thanks for your reply!

But I do not understand why we get this messages. We have blocked(via ipfilter) the http accesss (ṕort 80). To avoid this message should we block the port 443 too?? I mean via IPfilter???

Thanks!!

Contributor
Posts: 23
Registered: ‎09-26-2011

Re: Security Issue on a switch FC (Apache HTTP Server httpOnly Cookie Information Disclosure)

Any comments? Any update??

Thanks!

Frequent Contributor
Posts: 130
Registered: ‎02-05-2014

Re: Security Issue on a switch FC (Apache HTTP Server httpOnly Cookie Information Disclosure)

Yes, obviously the same Cookie Disclosure information is available via the ssl port. Fence this off and you should be good to go unless your ruleset doesn't take you network configuration into account. I assume that the security guys have multiple entries into the network and therefor may be able to bypass your rules. Anyway, you shold check with them first.

 

As I'm a huge opponent to these very bad workarounds you should grab the bull by the horns and fix the underlying issue. Investigate if the security problem is fixed in newer code-levels and upgrade to that. This way you don't have to keep track of all these bypasses and workarounds. I've seen issues like this where switches became totally unmanageble when the network guys decided to do some re-designing of their subnets. Their SAN kit was stuck in a black-hole and they needed to send someone 800 miles furtherup to reconfigure the switches. expensive exersize.

 

 

Kind regards,
Erwin van Londen
Brocade Distinguished Architect
http://www.erwinvanlonden.net The Fibre Channel blog


Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Download FREE NVMe eBook