To SAS Viya Support Team,
Greetings,
During a security scan, we identified a critical vulnerability on the following servers where HSTS (HTTP Strict Transport Security) is not enforced on the remote web server for the DMT.EM component, in violation of RFC 6797:
1. Vulnerability Details
- Component/Service: DMT.EM
- Vulnerability Description: The remote web server does not enforce HSTS, leaving it susceptible to man-in-the-middle (MITM) attacks.
- Affected Servers:
- Vulnerability ID: 42
- Remediation Recommendation: Configure the remote web server to enforce HSTS.
2. Requested Assistance
- Please advise on the specific steps to enable HSTS for the DMT.EM component in the SAS Viya environment, including any configuration files or settings that need modification.
- Confirm whether this requires changes to the SAS Viya configuration or can be addressed at the web server level (e.g., Apache, Nginx).
- Provide guidance on verifying the successful implementation of HSTS post-configuration (e.g., using browser tools or security headers checkers).
3. Severity and Timeline
This vulnerability poses a high risk to data security. We kindly request a priority response and a detailed action plan by [Insert Deadline, e.g., 24 hours from ticket creation].
Thank you for your prompt support.
Best regards,
West
