Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!

security scan issue on author server

Avatar

Level 2
Level 2
5/24/16 8:54:01 AM

We have AEM setup first time in our system. Our security team scans the VM before it can go live. They found following issue on it. Anyone knows how to correct it?

Vuln 45242 Remote Management Service Accepting Unencrypted Credentials Detected
dcmipvmacc008.edc.nam.com port: 8080
Service Name: HTTP on TCP port 8080.
HTTP Service Excepting Basic Auth Credentials Detected
dcwipvmacc008.edc.nam.com port: 8080
Service Name: HTTP on TCP port 8080.
HTTP Service Excepting Basic Auth Credentials Detected
Vuln 86763 Web Server Uses Plain Text Basic Authentication
dcmipvmacc008.edc.nam.com port: 8080
dcwipvmacc008.edc.nam.com port: 8080
The login page at port 8080 needs to use encryption or be disabled.

Views

1.4K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
4 Replies

Avatar

Administrator
Administrator
5/25/16 1:32:37 AM

Hi 

Can you please confirm with the security team which tool is generating these messages?

It would be wiser to look at the documentation of that tool to better understand these messages.

 

Thanks and Regards

Kautuk Sahni



Kautuk Sahni

Views

967

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
5/25/16 1:13:38 PM

Those messages are not AEM messages - you need to consult with the tool's docs that generated those. For AEM and security best practices, see . https://docs.adobe.com/docs/en/aem/6-2/administer/security/security-checklist.html

Views

967

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
5/25/16 1:59:03 PM
In response to smacdonald2008

Yes. They are not AEM messages. The messages are from Qualys scan which ran on the VM where author is installed and listening on port 8080. Searching on google I think it complains about author server login page (listening on 8080) using plain text basic authentication. 

Any idea how to correct it on author side?

Views

967

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
5/25/16 2:07:26 PM
In response to vishalp01051978

If you are concerned that the default AEM authentication uses a text based password (which seems to be the cause of the message: The login page at port 8080 needs to use encryption or be disabled.) -- then write a custom authentication handler: 

http://www.wemblog.com/2013/03/how-to-create-custom-authentication.html

Or instead of writing a custom authen handler - another choice that you have is to setup 2 factor authentication: 

https://helpx.adobe.com/experience-manager/using/twofactor.html

Views

967

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Adobe Developers Live, November 2024, Session | Edge Delivery Services: One Year In, Six Ways Better

Views

49

Likes

0

Replies

0
Adobe Developers Live, November 2024, Session | Universal Editor, AEM Authoring & Edge Delivery Services

Views

58

Likes

0

Replies

0
Adobe Developers Live, November 2024, Session | Forms on the Edge!

Views

35

Likes

0

Replies

0
Dependency issues when PDF Services SDK is installed on AEM 6.5.21

Views

195

Likes

0

Replies

1
Making post requests to external API in AEM author

Views

289

Likes

0

Replies

5