HMC

 View Only
  • 1.  HMC - 443 tcp Sensitive File Disclosure HTTP

    Posted Wed March 27, 2024 05:34 PM

    Hello,

    Please provide your support, how can the following vulnerability be overcome in an HMC that has an LPAR with the IBM i operating system?



    ------------------------------
    Jorge Lee
    ------------------------------


  • 2.  RE: HMC - 443 tcp Sensitive File Disclosure HTTP

    IBM Champion
    Posted Thu March 28, 2024 07:36 AM

    Mitigation:
    - Restrict access to https to sysadmins. (jump hosts, or differentiated VPN profiles)

    Solution:
    - Open a case with IBM to fix any information leakage

    Obs:  If it's only "https://<<IP>>/dashboard/web.xml", it's either a template, or it doesn't seem to leak any information that isn't already public.

    <web-app xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0" metadata-complete="true">
    <display-name>Hardware Management Console</display-name>
    <welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
    <mime-mapping>
    <extension>manifest</extension>
    <mime-type>text/cache-manifest</mime-type>
    </mime-mapping>
    </web-app>



    ------------------------------
    José Pina Coelho
    IT Specialist at Kyndryl
    ------------------------------



  • 3.  RE: HMC - 443 tcp Sensitive File Disclosure HTTP

    IBM Champion
    Posted Thu March 28, 2024 08:58 AM

    A lot of times you can plug in the CVE number at the following link and you will see how to resolve it.

    https://www.ibm.com/support/pages/bulletin/



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------