Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.

security scan issue on author server

Avatar

Level 2

We have AEM setup first time in our system. Our security team scans the VM before it can go live. They found following issue on it. Anyone knows how to correct it?

Vuln 45242 Remote Management Service Accepting Unencrypted Credentials Detected
dcmipvmacc008.edc.nam.com port: 8080
Service Name: HTTP on TCP port 8080.
HTTP Service Excepting Basic Auth Credentials Detected
dcwipvmacc008.edc.nam.com port: 8080
Service Name: HTTP on TCP port 8080.
HTTP Service Excepting Basic Auth Credentials Detected
Vuln 86763 Web Server Uses Plain Text Basic Authentication
dcmipvmacc008.edc.nam.com port: 8080
dcwipvmacc008.edc.nam.com port: 8080
The login page at port 8080 needs to use encryption or be disabled.

4 Replies

Avatar

Administrator

Hi 

Can you please confirm with the security team which tool is generating these messages?

It would be wiser to look at the documentation of that tool to better understand these messages.

 

Thanks and Regards

Kautuk Sahni



Kautuk Sahni

Avatar

Level 10

Those messages are not AEM messages - you need to consult with the tool's docs that generated those. For AEM and security best practices, see . https://docs.adobe.com/docs/en/aem/6-2/administer/security/security-checklist.html

Avatar

Level 2

Yes. They are not AEM messages. The messages are from Qualys scan which ran on the VM where author is installed and listening on port 8080. Searching on google I think it complains about author server login page (listening on 8080) using plain text basic authentication. 

Any idea how to correct it on author side?

Avatar

Level 10

If you are concerned that the default AEM authentication uses a text based password (which seems to be the cause of the message: The login page at port 8080 needs to use encryption or be disabled.) -- then write a custom authentication handler: 

http://www.wemblog.com/2013/03/how-to-create-custom-authentication.html

Or instead of writing a custom authen handler - another choice that you have is to setup 2 factor authentication: 

https://helpx.adobe.com/experience-manager/using/twofactor.html