HPE Community
HPE OneView
1820258 Members
2756 Online
109622 Solutions
New Discussion

OneView 5.30.00_ HSTS

 
IMax77
Occasional Advisor

‎02-10-2021 11:10 PM

‎02-10-2021 11:10 PM

OneView 5.30.00_ HSTS

Hi,

Right now there is no HSTS in OneView 5.30.00. It should be there as defined by RFC 6797.

https://tools.ietf.org/html/rfc6797

How should the HSTS be activated?

 

0 Kudos
Reply
11 REPLIES 11
ChrisLynch
HPE Pro

‎02-11-2021 09:56 AM

‎02-11-2021 09:56 AM

Re: OneView 5.30.00_ HSTS

You need to update to HPE OneView 5.50.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
IMax77
Occasional Advisor

‎02-12-2021 12:15 AM

‎02-12-2021 12:15 AM

Re: OneView 5.30.00_ HSTS

HI, 

How should the HSTS be activated in the OneView 5.50?

Or is HSTS activated by default on this release?

0 Kudos
Reply
Coolharts
Established Member

‎07-08-2021 08:26 AM

‎07-08-2021 08:26 AM

Re: OneView 5.30.00_ HSTS

Is HSTS supported on Oneview 6.1? My Teneble security scanner says it is not enabled.

0 Kudos
Reply
ChrisLynch
HPE Pro

‎07-08-2021 08:56 AM

‎07-08-2021 08:56 AM

Re: OneView 5.30.00_ HSTS

It is enabled by default once you update to the release I stated above. There is nothing further to do within the appliance.
I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Coolharts
Established Member

‎07-08-2021 08:59 AM

‎07-08-2021 08:59 AM

Re: OneView 5.30.00_ HSTS

I have updated to Oneview 6.1 and am receiving this alert from my Tenable scanner:

142960 HSTS Missing From HTTPS Server (RFC
6797) Medium 1 Web Servers
Description: The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured
on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle
attacks, and weakens cookie-hijacking protections.

0 Kudos
Reply
ChrisLynch
HPE Pro

‎07-08-2021 09:00 AM

‎07-08-2021 09:00 AM

Re: OneView 5.30.00_ HSTS

Please open an HPE support case and private message me the ID.
I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
MissionCritical
Senior Member

‎07-12-2021 07:29 AM

‎07-12-2021 07:29 AM

Re: OneView 5.30.00_ HSTS

We are experiencing the same issue with our security scans. I had a case open with HPE and they said to update to 5.5 or higher. We updated to 6.1 and the vulnerability still shows on the secruity scans. I have been following this thread to see if there was a fix. 

Reply
ChrisLynch
HPE Pro

‎07-13-2021 11:30 AM

‎07-13-2021 11:30 AM

Re: OneView 5.30.00_ HSTS

We have identified a regression within OneView 6.00 through 6.20 that is causing this.  Starting with 6.00, we changed the OneView update internal mechanism to an image based approach to updating, in order to achieve faster updates.  Unfortunately, one of the internal config files that enabled HSTS support is not being captured.  So any customer updating to 6.00, 6.10 or the recently released 6.20 update will experience this regression.  We are working on a fix, and will be in a future OneView update that will re-enable HSTS support automatically.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
MissionCritical
Senior Member

‎07-26-2021 11:03 AM

‎07-26-2021 11:03 AM

Re: OneView 5.30.00_ HSTS

Thanks Chris for the reply. I notified my secruity team to let them know. Will be following this thread for updates.

0 Kudos
Reply
MissionCritical
Senior Member

‎12-08-2021 02:19 PM

‎12-08-2021 02:19 PM

Re: OneView 5.30.00_ HSTS

Wanted to follow up on this. Has the HSTS issue been fixed in the latest version of oneview, 6.3 and/or 6.4 ? 

0 Kudos
Reply
ChrisLynch
HPE Pro

‎12-08-2021 03:12 PM

‎12-08-2021 03:12 PM

Re: OneView 5.30.00_ HSTS

Yes, this was addressed in OneView 6.30.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.