HPE Community
HPE OneView
1753767 Members
5717 Online
108799 Solutions
New Discussion

Re: OneView 5.30.00_ HSTS

 
IMax77
Occasional Advisor

‎02-10-2021 11:10 PM

‎02-10-2021 11:10 PM

OneView 5.30.00_ HSTS

Hi,

Right now there is no HSTS in OneView 5.30.00. It should be there as defined by RFC 6797.

https://tools.ietf.org/html/rfc6797

How should the HSTS be activated?

 

0 Kudos
Reply
11 REPLIES 11
ChrisLynch
HPE Pro

‎02-11-2021 09:56 AM

‎02-11-2021 09:56 AM

Re: OneView 5.30.00_ HSTS

You need to update to HPE OneView 5.50.


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
IMax77
Occasional Advisor

‎02-12-2021 12:15 AM

‎02-12-2021 12:15 AM

Re: OneView 5.30.00_ HSTS

HI, 

How should the HSTS be activated in the OneView 5.50?

Or is HSTS activated by default on this release?

0 Kudos
Reply
Coolharts
Member

‎07-08-2021 08:26 AM

‎07-08-2021 08:26 AM

Re: OneView 5.30.00_ HSTS

Is HSTS supported on Oneview 6.1? My Teneble security scanner says it is not enabled.

0 Kudos
Reply
ChrisLynch
HPE Pro

‎07-08-2021 08:56 AM

‎07-08-2021 08:56 AM

Re: OneView 5.30.00_ HSTS

It is enabled by default once you update to the release I stated above. There is nothing further to do within the appliance.

I am an HPE employee

Accept or Kudo

0 Kudos
Reply
Coolharts
Member

‎07-08-2021 08:59 AM

‎07-08-2021 08:59 AM

Re: OneView 5.30.00_ HSTS

I have updated to Oneview 6.1 and am receiving this alert from my Tenable scanner:

142960 HSTS Missing From HTTPS Server (RFC
6797) Medium 1 Web Servers
Description: The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured
on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle
attacks, and weakens cookie-hijacking protections.

0 Kudos
Reply
ChrisLynch
HPE Pro

‎07-08-2021 09:00 AM

‎07-08-2021 09:00 AM

Re: OneView 5.30.00_ HSTS

Please open an HPE support case and private message me the ID.

I am an HPE employee

Accept or Kudo

0 Kudos
Reply
MissionCritical
Senior Member

‎07-12-2021 07:29 AM

‎07-12-2021 07:29 AM

Re: OneView 5.30.00_ HSTS

We are experiencing the same issue with our security scans. I had a case open with HPE and they said to update to 5.5 or higher. We updated to 6.1 and the vulnerability still shows on the secruity scans. I have been following this thread to see if there was a fix. 

Reply
ChrisLynch
HPE Pro

‎07-13-2021 11:30 AM

‎07-13-2021 11:30 AM

Re: OneView 5.30.00_ HSTS

We have identified a regression within OneView 6.00 through 6.20 that is causing this.  Starting with 6.00, we changed the OneView update internal mechanism to an image based approach to updating, in order to achieve faster updates.  Unfortunately, one of the internal config files that enabled HSTS support is not being captured.  So any customer updating to 6.00, 6.10 or the recently released 6.20 update will experience this regression.  We are working on a fix, and will be in a future OneView update that will re-enable HSTS support automatically.


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
MissionCritical
Senior Member

‎07-26-2021 11:03 AM

‎07-26-2021 11:03 AM

Re: OneView 5.30.00_ HSTS

Thanks Chris for the reply. I notified my secruity team to let them know. Will be following this thread for updates.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.