search cancel

VIP Enterprise Gateway - XSS Reflected vulnerability fix

book

Article ID: 174138

calendar_today

Updated On:

Products

VIP Enterprise Gateway

Issue/Introduction

A critical XSS Reflected vulnerability has been found in the VIP Enterprise Gateway (EG) console.

XSS Reflected definition: Reflected attacks are those where the injected script is reflected off the web server. Attacks can be found in an error message, search result, or any other response. These responses include some or all of the input that is sent to the server as part of the request. Reflected attacks are delivered to victims by another route, such as in an email message, or on some other website. A user is tricked into clicking on a malicious link, submitting a specially crafted form, or browsing to a malicious site. The injected code travels to the vulnerable website, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a "trusted" server. (X-XSS-Protection)

Environment

This issue was resolved in VIP Enterprise Gateway 9.9.2. 

Resolution

This issue was resolved in VIP Enterprise Gateway 9.9.2. 

VIP EG 9.8.4

  1. Download and extract EG_XSS_Patch.zip from this article. This patch contains two folders:  9.7.x and 9.8.x
  2. Log on to the VIP EG server.
  3. Stop all running VIP EG services (i.e., VIP Enterprise Gateway, VIP SSP IdP, VIP Manager IdP, VIP Validation Servers) from the console.
  4. Navigate to the EG installation path, then delete the jetty-* folder (e.g., C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway\server\work\jetty-0.0.0.0-8232-vipconsole.war-_vipegconsole-any-)
  5. If Self-Service portal (SSP) IdP is configured on this EG, navigate to <INSTALL_DIR>/IDP/services/SSP, then delete the jetty-* folder. (e.g., C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway/IDP/services/SSP/jetty-0.0.0.0-8233-sspwebapp-_vipssp-any-)
  6. If VIP Manager IdP is configured, navigate to <INSTALL_DIR>/IDP/services/VIPMGR, then delete the jetty-* folder (e.g., C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway/IDP/services/VIPMGR/jetty-0.0.0.0-8234-vipmgrwebapp-_vipmgr-any-)
  7. Navigate to <INSTALL_DIR>/server/ext/, then rename engine.jar to engine.jar.old. Copy engine.jar from the 9.8.x folder in step 1 into this folder.
  8. Navigate to <INSTALL_DIR>/server/webapps/, then rename vipconsole.war to vipconsole.war.old. Copy vipconsole.war from the 9.8.x folder in step 1 into this folder.
  9. Restart all services. Alternatively, restart the server to restart all services. 

VIP EG 9.7.1

  1. Download and extract EG_XSS_Patch.zip from this article. This patch contains two folders:  9.7.x and 9.8.x
  2. Log on to the VIP EG server.
  3. Stop all running VIP EG services (i.e., VIP Enterprise Gateway, VIP SSP IdP, VIP Manager IdP, VIP Validation Servers) from the console. 
  4. Navigate to the EG installation path, then delete the jetty-* folder (e.g., C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway\server\work\jetty-0.0.0.0-8232-vipconsole.war-_vipegconsole-any-)
  5. If self-service portal (SSP) IdP is configured on this EG, navigate to <INSTALL_DIR>/IDP/services/SSP, then delete the jetty-* folder. (e.g., C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway/IDP/services/SSP/jetty-0.0.0.0-8233-sspwebapp-_vipssp-any-)
  6. If VIP Manager IdP is configured on this EG, navigate to <INSTALL_DIR>/IDP/services/VIPMGR, then delete the jetty-* folder (e.g., C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway/IDP/services/VIPMGR/jetty-0.0.0.0-8234-vipmgrwebapp-_vipmgr-any-)
  7. Navigate to <INSTALL_DIR>/server/ext/, then rename engine.jar to engine.jar.old. Copy engine.jar from the 9.7.x folder in step 1 into this folder.
  8. Navigate to <INSTALL_DIR>/server/webapps/, then rename vipconsole.war to vipconsole.war.old. Copy vipconsole.war from the 9.7.x folder in step 1 into this folder.
  9. Navigate to <INSTALL_DIR>/conf. Copy the localHosts.conf from the 9.7.x folder in step 1 into this folder. Edit this file with a standard text editor and follow the instruction for whitelisting the EG host name and port number.
  10. Restart all services. Alternatively, restart the server to restart all services. 

Attachments

EG_XSS_Patch.zip get_app