ISE Security Finding - Existing Defect?

joonder — Thu, 18 Jan 2018 21:16:59 GMT

A recent security scan of ISE 1.4 came up with the finding below. I am trying to determine if a defect is open on this and/or if it has been released in a later release already. I can find defects for the same error on ASA and ESA, but nothing for ISE comes up in my searches.

X-XSS-Protection HTTP Header missing on port 443.

"CWE-693: Protection Mechanism Failure mentions the following - The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. A missing protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An insufficient protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an ignored mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path."

Re: ISE Security Finding - Existing Defect?

howon — Sat, 20 Jan 2018 01:57:27 GMT

XSS has been addressed with patch 11 for ISE 1.4. Refer to 1.4 RN:

Release Notes for Cisco Identity Services Engine, Release 1.4 - Cisco

topic Re: ISE Security Finding - Existing Defect? in Network Access Control

ISE Security Finding - Existing Defect?

Re: ISE Security Finding - Existing Defect?