Vulnerabilities- Application Session not expire and no temp user account suspension

book

Article ID: 144428

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio) CA Release Automation - DataManagement Server (Nolio)

Issue/Introduction

In our recent security audit some of the vulnerabilities have been identified which are listed below. Can you please assist on justification and resolution of the same to descend the same.

  1. Application session doesn't not expires: After closing the browser tab and restoring the same the session is identified as active. This can result in session hijacking.
  2. Temporary account lock/suspension is not available on multiple invalid login attempts.

Environment

Release : 6.6

Component : CA RELEASE AUTOMATION CORE

Resolution

Please find resolution and justification of identified issues.

Application session does not expire on closing the browser
  • The session will be expired when all browsers included non-RA tab's are closed.
  • Session at server end is configurable and the default value set to is 60 minutes, which can be changed as per needs. We observed in report that session restoration is made in 4 minutes, which resulted in session been active. In case if your need is to expire session after x-minutes please configured the same as instructed below, post which session at server end will be no more valid.
  • Configuring Session Timeout:
    • Open the file RA_HOME\webapps\datamanagement\WEB-INF\web.xml
    • Search for the below line, as you can see default value is 60 (in minutes) the same can be changed to specific require value
<session-config>
         <session-timeout>60</session-timeout>
</session-config
    • Save the file and restart the Release Automation Server Service.

Temporary account lock/suspension is not available on multiple invalid login attempts
  • RA doesn't have this feature implemented, but as per internal security review we don't consider it as a vulnerability. In case if this feature is something expected in product we will request to please engage in discussion with Product Management and posting this as Enhancement Request on our RA Global Community.