HPE OneView

Re: OneView 5.30.00_ HSTS

 
IMax77
Occasional Advisor

OneView 5.30.00_ HSTS

Hi,

Right now there is no HSTS in OneView 5.30.00. It should be there as defined by RFC 6797.

https://tools.ietf.org/html/rfc6797

How should the HSTS be activated?

 

9 REPLIES 9
ChrisLynch
HPE Pro

Re: OneView 5.30.00_ HSTS

You need to update to HPE OneView 5.50.


I am an HPE employee

Accept or Kudo

IMax77
Occasional Advisor

Re: OneView 5.30.00_ HSTS

HI, 

How should the HSTS be activated in the OneView 5.50?

Or is HSTS activated by default on this release?

Coolharts
Occasional Visitor

Re: OneView 5.30.00_ HSTS

Is HSTS supported on Oneview 6.1? My Teneble security scanner says it is not enabled.

ChrisLynch
HPE Pro

Re: OneView 5.30.00_ HSTS

It is enabled by default once you update to the release I stated above. There is nothing further to do within the appliance.

I am an HPE employee

Accept or Kudo

Coolharts
Occasional Visitor

Re: OneView 5.30.00_ HSTS

I have updated to Oneview 6.1 and am receiving this alert from my Tenable scanner:

142960 HSTS Missing From HTTPS Server (RFC
6797) Medium 1 Web Servers
Description: The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured
on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle
attacks, and weakens cookie-hijacking protections.

ChrisLynch
HPE Pro

Re: OneView 5.30.00_ HSTS

Please open an HPE support case and private message me the ID.

I am an HPE employee

Accept or Kudo

MissionCritical
Frequent Visitor

Re: OneView 5.30.00_ HSTS

We are experiencing the same issue with our security scans. I had a case open with HPE and they said to update to 5.5 or higher. We updated to 6.1 and the vulnerability still shows on the secruity scans. I have been following this thread to see if there was a fix. 

ChrisLynch
HPE Pro

Re: OneView 5.30.00_ HSTS

We have identified a regression within OneView 6.00 through 6.20 that is causing this.  Starting with 6.00, we changed the OneView update internal mechanism to an image based approach to updating, in order to achieve faster updates.  Unfortunately, one of the internal config files that enabled HSTS support is not being captured.  So any customer updating to 6.00, 6.10 or the recently released 6.20 update will experience this regression.  We are working on a fix, and will be in a future OneView update that will re-enable HSTS support automatically.


I am an HPE employee

Accept or Kudo

MissionCritical
Frequent Visitor

Re: OneView 5.30.00_ HSTS

Thanks Chris for the reply. I notified my secruity team to let them know. Will be following this thread for updates.