Oracle VM: HSTS Vulnerability On OVM Manager
(Doc ID 2758597.1)
Last updated on JUNE 02, 2021
Applies to:Oracle VM - Version 3.4.6 and later
Information in this document applies to any platform.
The Oracle VM Manager running the latest version of Oracle VM Manager and the latest kernel shows HSTS Vulnerability.
DescriptionThe remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.
SolutionConfigure the remote web server to use HSTS.
The remote HTTPS server does not send the HTTP
Plugin Published Date2020-11-17
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document