https://communities.sas.com/t5/SAS-Viya/HSTS-Not-Enforced-on-Remote-Web-Server-for-DMT-EM-Component/m-p/967522#M2861 <DIV class=""><STRONG>To SAS Viya Support Team,</STRONG></DIV><P>&nbsp;</P><DIV class="">Greetings,</DIV><P>&nbsp;</P><DIV class="">During a security scan, we identified a critical vulnerability on the following servers where <STRONG>HSTS (HTTP Strict Transport Security) is not enforced</STRONG> on the remote web server for the <STRONG>DMT.EM component</STRONG>, in violation of RFC 6797:</DIV><P><STRONG>1. Vulnerability Details</STRONG></P><UL><LI><STRONG>Component/Service</STRONG>: DMT.EM</LI><LI><STRONG>Vulnerability Description</STRONG>: The remote web server does not enforce HSTS, leaving it susceptible to man-in-the-middle (MITM) attacks.</LI><LI><STRONG>Affected Servers</STRONG>:<UL><LI>Server 1</LI><LI>Server 2</LI></UL></LI><LI><STRONG>Vulnerability ID</STRONG>: 42</LI><LI><STRONG>Remediation Recommendation</STRONG>: Configure the remote web server to enforce HSTS.</LI></UL><P><STRONG>2. Requested Assistance</STRONG></P><UL><LI>Please advise on the <STRONG>specific steps</STRONG> to enable HSTS for the DMT.EM component in the SAS Viya environment, including any configuration files or settings that need modification.</LI><LI>Confirm whether this requires changes to the SAS Viya configuration or can be addressed at the web server level (e.g., Apache, Nginx).</LI><LI>Provide guidance on verifying the successful implementation of HSTS post-configuration (e.g., using browser tools or security headers checkers).</LI></UL><P><STRONG>3. Severity and Timeline</STRONG></P><DIV class="">This vulnerability poses a high risk to data security. We kindly request a <STRONG>priority response</STRONG> and a detailed action plan by <STRONG>[Insert Deadline, e.g., 24 hours from ticket creation]</STRONG>.</DIV><P>&nbsp;</P><DIV class="">Thank you for your prompt support.</DIV><P>&nbsp;</P><DIV class="">Best regards,</DIV><DIV class="">West</DIV> Tue, 27 May 2025 02:58:10 GMT west_liu 2025-05-27T02:58:10Z https://communities.sas.com/t5/SAS-Viya/HSTS-Not-Enforced-on-Remote-Web-Server-for-DMT-EM-Component/m-p/967522#M2861 <DIV class=""><STRONG>To SAS Viya Support Team,</STRONG></DIV><P>&nbsp;</P><DIV class="">Greetings,</DIV><P>&nbsp;</P><DIV class="">During a security scan, we identified a critical vulnerability on the following servers where <STRONG>HSTS (HTTP Strict Transport Security) is not enforced</STRONG> on the remote web server for the <STRONG>DMT.EM component</STRONG>, in violation of RFC 6797:</DIV><P><STRONG>1. Vulnerability Details</STRONG></P><UL><LI><STRONG>Component/Service</STRONG>: DMT.EM</LI><LI><STRONG>Vulnerability Description</STRONG>: The remote web server does not enforce HSTS, leaving it susceptible to man-in-the-middle (MITM) attacks.</LI><LI><STRONG>Affected Servers</STRONG>:<UL><LI>Server 1</LI><LI>Server 2</LI></UL></LI><LI><STRONG>Vulnerability ID</STRONG>: 42</LI><LI><STRONG>Remediation Recommendation</STRONG>: Configure the remote web server to enforce HSTS.</LI></UL><P><STRONG>2. Requested Assistance</STRONG></P><UL><LI>Please advise on the <STRONG>specific steps</STRONG> to enable HSTS for the DMT.EM component in the SAS Viya environment, including any configuration files or settings that need modification.</LI><LI>Confirm whether this requires changes to the SAS Viya configuration or can be addressed at the web server level (e.g., Apache, Nginx).</LI><LI>Provide guidance on verifying the successful implementation of HSTS post-configuration (e.g., using browser tools or security headers checkers).</LI></UL><P><STRONG>3. Severity and Timeline</STRONG></P><DIV class="">This vulnerability poses a high risk to data security. We kindly request a <STRONG>priority response</STRONG> and a detailed action plan by <STRONG>[Insert Deadline, e.g., 24 hours from ticket creation]</STRONG>.</DIV><P>&nbsp;</P><DIV class="">Thank you for your prompt support.</DIV><P>&nbsp;</P><DIV class="">Best regards,</DIV><DIV class="">West</DIV> Tue, 27 May 2025 02:58:10 GMT https://communities.sas.com/t5/SAS-Viya/HSTS-Not-Enforced-on-Remote-Web-Server-for-DMT-EM-Component/m-p/967522#M2861 west_liu 2025-05-27T02:58:10Z https://communities.sas.com/t5/SAS-Viya/HSTS-Not-Enforced-on-Remote-Web-Server-for-DMT-EM-Component/m-p/967523#M2862 <P>To get a priority response open a ticket via the Tech Support channel:&nbsp;<A href="https://service.sas.com/" target="_blank">https://service.sas.com/</A></P> Tue, 27 May 2025 04:08:51 GMT https://communities.sas.com/t5/SAS-Viya/HSTS-Not-Enforced-on-Remote-Web-Server-for-DMT-EM-Component/m-p/967523#M2862 SASKiwi 2025-05-27T04:08:51Z