Foglight 6.3.0 - Security and Compliance Guide

Understanding the Foglight platform's relationship to Java

Foglight® does not run JavaTM code in the browser, and therefore is not vulnerable to Java applet security issues. The recently reported Vulnerability Note VU#625617 is one example of such an issue.

The Foglight platform uses the Java Runtime Engine (JRE) internally to run the Management Server and the Agent Manager(s). These are self-contained software systems that are fully isolated from the Foglight platform’s content delivery system (the Web-based user interface) and as such they are not vulnerable to browser-based attacks. In particular, the Management Server and Agent Managers are not vulnerable to browser-based attacks that rely on the Java plug-in. Even when a Java plug-in is enabled in the browser, it cannot communicate with or influence the JRE instances that run Foglight in a separate process.

The Foglight platform’s Web-based user interface is a pure HTML interface which does not use Java. As such the Web-based user interface cannot be manipulated by Java plug-in–based attacks, and it remains fully operational when the Java plug-in is fully disabled. Customers using the Foglight platform’s Web-based user interface in their browsers may fully disable the Java plug-in without impacting their access to the Foglight platform.

"Clickjacking" vulnerability

Clickjacking is a vulnerability that causes an end user to unintentionally click invisible content on a web page, typically placed on top of the content they think they are clicking. This vulnerability can cause fraudulent or malicious transactions. One way to prevent clickjacking is by setting the X-Frame-Options response HTTP header with the page response. This prevents the page content from being rendered by another site when using iFrame HTML tags.

The Foglight Management Server adds the X-Frame-Options response HTTP header with the page response in the main URL: https://<localhost>:<port>/console/page. For the following two URL addresses, you can specify whether or not the page content is rendered by configuring the Frame Option option:

After specifying the value of Frame Option, the Foglight Management Server overwrites the value of the X-Frame-Options response header with the value of Frame Option. The value of the Frame Option option includes the following:

NOTE: Only the value configured in the top-level view takes effects.

FIPS-compliant mode

FIPS (Federal Information Processing Standard) 140-2 is a U.S. government security standard for hardware and software cryptography modules. Modules validated against the standard assure government and other users that the cryptography in the system meets the standard. For more information about the NIST FIPS 140-2 program, see Cryptographic Module Validation Program (CMVP) validation.

FIPS-compliant mode for Foglight Management Server

Foglight Management Server and Foglight cartridges use the Java Cryptographic Extension and Bouncy Castle Java FIPS library for cryptographic operations.

By default, Foglight Management Server does not operate in FIPS-compliant mode. Foglight still uses the FIPS-validated libraries, but it also allows cryptographic algorithms that are not supported by the FIPS 140-2 standard.

When FIPS-compliant mode is enabled:

To enable FIPS-compliant mode, select FIPS Compliance Mode in FIPS Compliance Settings during installation of Foglight Management Server.

CAUTION: Once the FIPS-compliant mode is enabled during installation, it cannot be disabled without a complete re-installation of Foglight.

NOTE: All Foglight Management Server cartridges are FIPS-compliant cartridges, for other cartridges refer to the relevant cartridge release notes.