[MXS-2522] Nessus security scan on MaxScale node shows vulnerability on maxctrl 8989 port Created: 2019-05-28  Updated: 2019-05-29  Resolved: 2019-05-29

Status: Closed
Project: MariaDB MaxScale
Component/s: N/A
Affects Version/s: None
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Richard Lane Assignee: Unassigned
Resolution: Not a Bug Votes: 0
Labels: None
Environment:

Centos 7.6


 Description   

34850 (1) - Web Server Uses Basic Authentication Without HTTPS -
Synopsis
The remote web server seems to transmit credentials in cleartext.
Description
The remote web server contains web pages that are protected by 'Basic'
authentication over cleartext.

An attacker eavesdropping the traffic might obtain logins and passwords of valid users.
Solution
Make sure that HTTP authentication is transmitted over HTTPS.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C/I:N/A:N)
References
XREF CWE:319
XREF CWE:928
XREF CWE:930
XREF CWE:934
Plugin Information:
Published: 2008/11/21, Modified: 2016/11/29
Plugin Output
10.76.65.215 (tcp/8989)

The following web pages use Basic Authentication over an unencrypted
channel :

/:/ realm="maxscale"

 Comments   
Comment by markus makela [ 2019-05-29 ]

Not a bug: https://mariadb.com/kb/en/mariadb-maxscale-23-mariadb-maxscale-configuration-usage-scenarios/#admin_ssl_key

The default is to use HTTP and only enable HTTPS once the certificates have been configured. To enable it, define the admin_ssl_key, admin_ssl_cert, and admin_ssl_ca_cert parameters under the [maxscale] section.

The REST API tutorial covers the hardening of the REST API for non-development use.

Generated at Thu Feb 08 04:14:44 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.