ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Vulnerabilities- Application Session not expire and no temp user account suspension
Article ID: 144428
CA Release Automation - Release Operations Center (Nolio)CA Release Automation - DataManagement Server (Nolio)
In our recent security audit some of the vulnerabilities have been identified which are listed below. Can you please assist on justification and resolution of the same to descend the same.
Application session doesn't not expires: After closing the browser tab and restoring the same the session is identified as active. This can result in session hijacking.
Temporary account lock/suspension is not available on multiple invalid login attempts.
Release : 6.6
Component : CA RELEASE AUTOMATION CORE
Please find resolution and justification of identified issues. Application session does not expire on closing the browser
The session will be expired when all browsers included non-RA tab's are closed.
Session at server end is configurable and the default value set to is 60 minutes, which can be changed as per needs. We observed in report that session restoration is made in 4 minutes, which resulted in session been active. In case if your need is to expire session after x-minutes please configured the same as instructed below, post which session at server end will be no more valid.
Configuring Session Timeout:
Open the file RA_HOME\webapps\datamanagement\WEB-INF\web.xml
Search for the below line, as you can see default value is 60 (in minutes) the same can be changed to specific require value
Save the file and restart the Release Automation Server Service.
Temporary account lock/suspension is not available on multiple invalid login attempts
RA doesn't have this feature implemented, but as per internal security review we don't consider it as a vulnerability. In case if this feature is something expected in product we will request to please engage in discussion with Product Management and posting this as Enhancement Request on our RA Global Community.