search cancel

VIP Enterprise Gateway console 9.8.4 – Clickjacking vulnerability fix.

book

Article ID: 174394

calendar_today

Updated On:

Products

VIP Enterprise Gateway

Issue/Introduction

A medium clickjacking vulnerability has been found in VIP Enterprise Gateway(EG) console.

Vulnerability Description:

The remote web server does not set an X-Frame-Options response header or a Content-Security-Policy 'frame-ancestors' response header in all content responses. This could potentially expose the site to a clickjacking or UI redress attack, in which an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions.

Resolution

VIP EG 9.8.4 Instructions:

Note: This patch applies only to VIP EG v.9.8.4 (Windows/Linux). Upgrade existing installations to VIP EG 9.8.4 before proceeding. 

  1. Log directly into the VIP EG 9.8.4 server machine(s). Download and extract VIP_EG984_Patch.zip onto the server.  
  2. Stop all VIP EG services, such as VIP Enterprise Gateway, SSP IdP, VIP Manager IdP, etc.
  3. Navigate to EG install path location and delete the /server/work/jetty-*** folder (e.g.,: <INSTALL_DIR>/server/work/jetty-0.0.0.0-8232-vipconsole.war-_vipegconsole-any-)
  4. If the self-service portal (SSP) IdP is configured, navigate to EG install path location and delete the /IDP/services/SSP/jetty-*** folder (e.g.,: <INSTALL_DIR>/IDP/services/SSP/jetty-0.0.0.0-8233-sspwebapp-_vipssp-any-)
  5. If VIP Manager IdP is configured, then delete the /IDP/services/VIPMGR/jetty-*** folder <e.g., <INSTALL_DIR>/IDP/services/VIPMGR/jetty-0.0.0.0-8234-vipmgrwebapp-_vipmgr-any->)
  6. Navigate to <INSTALL_DIR>/server/ext/engine.jar location and create a backup of the existing engine.jar file. Copy the new engine.jar attached to this KB into this folder. 
  7. Navigate to <INSTALL_DIR>/server/webapps/vipconsole.war location and create a backup of the existing vipconsole.war. Copy the new vipconsole.war attached to this KB into this folder. 
  8. Restart all VIP services. 

Attachments

VIP_EG984_Patch.zip get_app