search cancel

XSS vulnerabilities with DevTest 10.5.0 IAM

book

Article ID: 189230

calendar_today

Updated On:

Products

CA Cloud Test Mobile CA Application Test

Issue/Introduction

We received the 2 below potential vulnerability notifications.  Please let us know if DevTest 10.5 is good to go or needs to be patched.

CVE-2014-3656 - JBossKeycloak login-status-iframe.html Endpoint origin Parameter Reflected XSS

CVE-2013-6495 - JBossWebBayeux has reflected XSS

Below is all the info we received for the 2 items:

CVE-2014-3556

Discussion: JBoss Keycloak contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the login-status-iframe.html endpoint does not validate input to the 'origin' parameter before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.  

  
Recommended Remediation: For information please refer to the following site(s):
https://web.nvd.nist.gov/view/vuln/search
https://tools.cisco.com/security/center/home.x
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
https://cve.mitre.org/cve/cve.html

Product: redhat.jboss_keycloak.-
Alert Publication Date: 12/10/2019

CVE-2013-6495

Discussion: JBossWeb Bayeux has reflected XSS  
  
Recommended Remediation: For information please refer to the following site(s):
https://web.nvd.nist.gov/view/vuln/search
https://tools.cisco.com/security/center/home.x
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
https://cve.mitre.org/cve/cve.html

Product: redhat.jboss_enterprise_application_platform.6.0.0 up to (excluding) 6.1.1, redhat.jboss_portal.6.0.0 up to (excluding) 6.1.0
Alert Publication Date: 12/11/2019

 

Cause

XSS vulnerability.

Environment

Release : 10.5.1

Component : CA Service Virtualization

Resolution

Please follow the below instructions to resolve the XSS vulnerabilities in IAM:

1. Go to DEVTEST_HOME/IdentityAccessManager/standalone/configuration folder.
2. Take the back up of standalone.xml
3. Open standalone.xml of configuration folder.
4. Search for <subsystem xmlns="urn:jboss:domain:undertow:4.0"> block. It has a tag name <host>
5. In the <host > tag and below <http-invoker security-realm="ApplicationRealm"/>, add the below lines:
    <filter-ref name="X-Frame-Options"/>
    <filter-ref name="x-xss-protection"/>
    <filter-ref name="strict-transport-security"/>
    <filter-ref name="content-security-policy"/>
    <filter-ref name="x-Content-type-options"/>
6- Now add the below lines under <handlers></handlers> tag in the same <subsystem xmlns="urn:jboss:domain:undertow:4.0"> block
    <filters>
       <response-header name="X-Frame-Options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
       <response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
       <response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains"/>
       <response-header name="content-security-policy" header-name="content-security-policy" header-value="default-src ; style-src 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline';         connect-src * 'unsafe-inline'; frame-src *;"/>
       <response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
    </filters>
7. Save and exit.

Re-run the scan and let me know if this resolves the vulnerability.