CVE-2015-5220 CVE-2015-5188 CVE-2015-5178
Article ID: 121610
Updated On:
Products
CA Process Automation Base
Issue/Introduction
Is Process Automation vulnerable to the following CVEs?
CVE-2015-5220
CVE-2015-5188
CVE-2015-5178
CVE-2015-5178: The Management Console in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.
CVE-2015-5188: Cross-site request forgery (CSRF) vulnerability in the Web Console (web-console) in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) before 2.0.0.CR9 allows remote attackers to hijack the authentication of administrators for requests that make arbitrary changes to an instance via vectors involving a file upload using a multipart/form-data submission.
CVE-2015-5220: The Web Console in Red Hat Enterprise Application Platform (EAP) before 6.4.4 and WildFly (formerly JBoss Application Server) allows remote attackers to cause a denial of service (memory consumption) via a large request header.
Environment
Release:
Component: ITPAM
Component: ITPAM
Resolution
Remediation in 4.3 SP02 for the following CVEs
CVE-2015-5220
CVE-2015-5188
CVE-2015-5178
These had to do with the Management console.
In a 4.3 SP02, the management folder originally located at <PAM_Installation_Location>>\server\c2o\deploy is no longer present.
This was addressed with 4.3 SP2 and 4.3 SP3. Process Automation is not vulnerable to the CVEs mentioned.
CVE-2015-5220
CVE-2015-5188
CVE-2015-5178
These had to do with the Management console.
In a 4.3 SP02, the management folder originally located at <PAM_Installation_Location>>\server\c2o\deploy is no longer present.
This was addressed with 4.3 SP2 and 4.3 SP3. Process Automation is not vulnerable to the CVEs mentioned.
Feedback
Yes
No
Powered by
