Hi SK3210,
I found a similar report for BSM 9.24,
there the answer from R&D was:
please see what's written in the Hardening Guide:
..
Using Basic Authentication in BSM
The BSM platform fully supports the basic authentication schema, which provides BSM with the
ability to authenticate a client communicating with a BSM server via HTTP or HTTPS.
The basic authentication schema is based on the client sending its credentials to the server so that
the server can authenticate the client. The client’s credentials are sent in a Base64 encoding format
and are not encrypted in any way. If you are concerned that your network traffic may be monitored
by a sniffer, it is recommended that you use basic authentication in conjunction with SSL. This
sends the client’s credentials over an encrypted wire (after the SSL handshake has been
completed).
For information on configuring the BSM platform to support SSL communication, see "Using SSL in
BSM" on page 39.
So the only solution here is use SSL.
Also by passing Web Server (using port 8080) is not a good practice for accessing BSM.
Customer should use port 443 and web server will provide to jboss decoding credentials.
..
by no way you are supposed to update packages which are delivered as part of BSM, like Apache Web Server or alike.
Greetings
Siggi