Clarity: Application Not Using Secured Cookies When SSL Is Enabled
search cancel

Clarity: Application Not Using Secured Cookies When SSL Is Enabled

book

Article ID: 18471

calendar_today

Updated On:

Products

Clarity PPM SaaS Clarity PPM On Premise

Issue/Introduction

Description:

Clarity cookies are not secured even when HTTPS communication method is chosen. This is a potential security vulnerability within Clarity itself.

Environments tested:

  1. Make one SQL server ready with HTTPS mode and test the below scenarios +Tomcat

    Scenario A:useHttpOnlySessionCookie & useSecureSessionCookie to True in <webServerInstance/> element in properties.xml file
    Scenario B:useHttpOnlySessionCookie & useSecureSessionCookie values are not specified
    Scenario C:useHttpOnlySessionCookie & useSecureSessionCookie set to false

  2. Make one Oracle server ready with HTTP and HTTPS mode and test the below scenarios + Web logic

    Scenario A:useHttpOnlySessionCookie & useSecureSessionCookie to True in <webServerInstance/> element in properties.xml file
    Scenario B:useHttpOnlySessionCookie & useSecureSessionCookie values are not specified
    Scenario C:useHttpOnlySessionCookie & useSecureSessionCookie set to false

    This is happening in both environments and the cookie is not currently being secured.

Security scans are detecting the following behavior:

Cookies are being sent over an unsecured channel and/or the content of the cookies when sent over the unsecured channels are not encrypted even for an SSL negotiated connection. Recommendation from most scans is to set HTTP-Only and Secure flags meaning the cookie would only use this cookie via HTTPS connections.

 

Environment

Release: ESPCLA99000-12.1-Clarity-Extended Support Plus
Component:

Resolution

Solution:

WORKAROUND:

No work around is available at this time for the absence of the secure session cookie.

STATUS/RESOLUTION:

Resolved in Clarity 13.2

Keywords: CLARITYKB, CLRT-66212, clarity13resolved, clarity132resolved.