The Cloud
APM server's monitoring
infrastructure node (min) process is susceptible to the External service interaction (DNS)
vulnerability for agent traffic. An artificially modified HTTP HOST header value might cause the
Cloud
APM server to query its DNS to resolve the address
of the HOST value passed. This is because the server supports agent traffic on all network
interfaces by default. You can mitigate this vulnerability by defining the host names and ports for
agent traffic.
Procedure
Complete these steps to add virtual host alias definitions to the
user-exit.xml file:
-
Open the install_dir/wlp/usr/servers/min/user-exit.xml file in a text editor.
-
Add a
<hostAlias>
element for each Cloud
APM server fully qualified host name or IP address and port
combination that agents can connect to:
<virtualHost id="default_host">
<hostAlias>apm-server-host-ip:80</hostAlias>
<hostAlias>apm-server-host-ip:443</hostAlias>
<hostAlias>localhost:80</hostAlias>
<hostAlias>localhost:443</hostAlias>
</virtualHost>
where
apm-server-host-ip is the host name or IP address that your agents are configured
to connect to. (The agents connect using the host name or IP address that you specified during the
Cloud
APM server installation or when you ran the
install_dir/ccm/make_configuration_packages.sh script.)
Also check the Host Name
Override configuration setting (
). Create additional
<hostAlias>
lines for port 80 and port 443 for the host name override value
if it is different from the value that was specified when the agent packages were
configured.
This example shows the virtual host alias definitions when the agents were
configured to connect to the Cloud
APM server with the
my_server.ibm.com host
name:
<virtualHost id="default_host" >
<hostAlias>my_server.ibm.com:80</hostAlias>
<hostAlias>my_server.ibm.com:443</hostAlias>
<hostAlias>localhost:80</hostAlias>
<hostAlias>localhost:443</hostAlias>
</virtualHost>
-
After you save use-exit.xml, restart the
min
component of
theCloud
APM server:
Results
The defined virtual hosts are now enabled. From now on, if a monitoring agent sends a HOST
header value that is not defined by a <hostAlias>
entry, the Cloud
APM server returns an HTTP 404
error.