@frederic_es  It sounds like that your client does use Protection Domains,, if that is not the case you may be able to disable this port in the CVM firewall.

Was there a pointer to any specific CVE in that security report? 

hi,

@sbarab :

Yes it use Protection domains.

No it’s not a CVE related vulnerability. The report say just that an attaker can view some sensitive informations without any security. It says also that an attack of the type reflected XSS vulnerability (non persistent) can be possible with the PD parameter.

@frederic_es  I am still investigating this.  I Will get back to you as soon as I find relevant info.

@frederic_es So I checked further. Presently there is plan to provide further security for this port on future release of AOS (probably AOS 5.18, but this can be changed) , but one thing to note is that this port can only be accessed from the network of the cluster or the remote site, it is not available for any other networks, you will get permission denied.Let me know if you have further concerns.

@frederic_es if your cluster cvm do not have the rules to block it, you can actually add them there manfully so the communication is limited to the subnets where the remote and main clusters are in.  Hope this satisfy some security concerns of yours and your clients.

hi Sbarab,

thank you for all this informations. I will do some network testings and report this to the concerned person .