Is Via G&L vulnerable to the “Strict Transport security misconfiguration”
Originally Published: 2016-08-30
Article Number
Article Summary
HTTP Strict-Transport-Security header was not found in HTTP responses.
HTTP login is already disabled at customer site.
So Is the product vulnerable to Strict-Transport-security-misconfiguration?
Issue Background:
The HTTP Strict Transport Security policy defines a timeframe where a browser
must connect to the web server via HTTPS. Without a Strict Transport Security
policy the web application may be vulnerable against several attacks:
· If the web application mixes usage of HTTP and HTTPS, an attacker can
manipulate pages in the unsecured area of the application or change
redirection targets in a manner that the switch to the secured page is not
performed or done in a manner, that the attacker remains between client and
server.
· If there is no HTTP server, an attacker in the same network could simulate a
HTTP server and motivate the user to click on a prepared URL by a scoial
engineering attack.
The protection is effective only for the given amount of time. Multiple
occurrence of this header could cause undefined behaviour in browsers and
should be avoided.
Issue Detail:
There was no "Strict-Transport-Security" header in the server response.
Occurrences:
GET https://sbela00350.be.extranet/aveksa/attachment?token=t6df834f71539de95ba5
GET https://sbela00350.be.extranet/aveksa/custom.jsp?page=home.jsp
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/alinks.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/context.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/files.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/common/title.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Connector_
Configuration_Guide/wwhdata/js/toc.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Guide/wwhd
ata/common/alinks.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Guide/wwhd
ata/common/context.js
GET https://sbela00350.be.extranet/aveksa/help/Access_Fulfillment_Express_Guide/wwhd
ata/common/files.js
GET https://sbela00350.be.extranet/aveksa/main
… and more (global issue)
Resolution
And in either of those scenarios there are much worse things someone could do than the attack here.
However, they are adding this header to help close that small window anyway, since there's no cost to them to doing so.
It will be in upcoming releases, and may be patched back into some existing codelines at the discretion of the Customer Success team.
It will be fixed in highland park (7.0.2)
Disclaimer
Related Articles
Is Via G&L vulnerable to “Authorization Bypass”? Number of Views False Positive - RSA Authentication Manager 8.1 SP1 P10 vulnerable to CVE 2016-0728, CVE-2015-8787 and CVE-2015-8709 (Open… Number of Views RSA Via Lifecycle and Governance Fulfillment Workflows "Create a job per group, grouping by user" creates a single job for… Number of Views RSA SecurID Authentication Manager Security Vulnerability for Java (CVE-2015-2590) - False Positive(s) Number of Views Replaced default Web Tier certificate but old certificate is presented in RSA Authentication Manager 8.x Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.9 Release Notes (January 2026) Artifacts to gather in RSA Identity Governance & Lifecycle RSA Governance & Lifecycle 8.0.0 Administrators Guide RSA Governance & Lifecycle 8.0.0 Installation Guide
Don't see what you're looking for?
