The Cloud
APM server
server1
process is susceptible to the External service interaction (DNS)
vulnerability. An artificially modified HTTP HOST header value might cause the Cloud
APM server to perform a DNS lookup of another host if the
HTTP HOST header does not specify the host name of the Cloud
APM server. You can mitigate this vulnerability by creating
a virtual host definition for the server1
process.
Procedure
Complete these steps to add a virtual host definition for the server1
process to the user-exit.xml file:
-
Upgrade one of your OS agents to the version in the Cloud
APM V8.1.4.0.7 or later agent refresh
release.
See
Agent and data collector version in Cloud APM,
Private releases in the
APM
Developer Center for more details on the OS agent versions
included in the V8.1.4.0 agent refreshes. The OS agent upgrade updates the OS agent application
support on the
Cloud
APM server and provides a fix that
is required for using the OS agent log file monitoring configuration UI when a virtual host is
defined for the server1 process.
- Apply Cloud
APM V8.1.4.0 server
interim fix 8 or later.
Interim fixes for the
Cloud
APM server V8.1.4.0 are available from
IBM Fix Central.
- Open the install_dir/wlp/usr/servers/server1/user-exit.xml file in a text editor.
-
Add the following virtual
<hostAlias>
definitions:
<virtualHost id="default_host" >
<hostAlias>${hostname.long.apmui}:8090</hostAlias>
<hostAlias>${hostname.long.apmui}:8091</hostAlias>
<hostAlias>${hostname.short.apmui}:8090</hostAlias>
<hostAlias>${hostname.short.apmui}:8091</hostAlias>
<hostAlias>${hostname.ip.apmui}:8090</hostAlias>
<hostAlias>${hostname.ip.apmui}:8091</hostAlias>
<hostAlias>localhost:8090</hostAlias>
<hostAlias>localhost:8091</hostAlias>
<hostAlias>127.0.0.1:8090</hostAlias>
<hostAlias>127.0.0.1:8091</hostAlias>
</virtualHost>
The
host aliases define the specific HTTP HOST headers that can be used in HTTP requests to the server1
process, for example, in Threshold Manager API requests. If one of these aliases is not specified in
a HTTP HOST header, an HTTP 404 response code is returned and no DNS lookup is performed.
Note: Cloud
APM V8.1.4.0 server interim fix 8 or
later automatically creates virtual host aliases for the
apmui
,
oidc
, and
uviews
services. If you want to protect the
Cloud
APM server
min
process from a similar vulnerability, perform the steps in
Enabling virtual hosts for agent traffic.