Mitigation:
- Restrict access to https to sysadmins. (jump hosts, or differentiated VPN profiles)
Solution:
- Open a case with IBM to fix any information leakage
Obs: If it's only "https://<<IP>>/dashboard/web.xml", it's either a template, or it doesn't seem to leak any information that isn't already public.
<web-app xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0" metadata-complete="true">
<display-name>Hardware Management Console</display-name>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<mime-mapping>
<extension>manifest</extension>
<mime-type>text/cache-manifest</mime-type>
</mime-mapping>
</web-app>
------------------------------
José Pina Coelho
IT Specialist at Kyndryl
------------------------------
Original Message:
Sent: Tue March 26, 2024 05:47 PM
From: Jorge Lee
Subject: HMC - 443 tcp Sensitive File Disclosure HTTP
Hello,
Please provide your support, how can the following vulnerability be overcome in an HMC that has an LPAR with the IBM i operating system?
------------------------------
Jorge Lee
------------------------------