search cancel

SV- QID 11827 on DevTest 10.4 Vulnerability Patch

book

Article ID: 190427

calendar_today

Updated On:

Products

CA Cloud Test Mobile CA Application Test

Issue/Introduction

 10.4 QID 11827 - Remediation patch details  

 

 

Environment

Release : 10.4

Component : CA Service Virtualization

Resolution


1. "patch_DE439275_10.4.0_GA.jar". This includes both "X-XSS-Protection HTTP Header missing on port 1505" and "Strict-Transport-Security HTTP Header missing on port 1505" fixes.
     1. Stop all the services.
     2. Go to the /lib/patches folder. (Create the patches folder if it doesn't exist).
     3. Copy and paste the attached patch 'patch_DE439275_10.4.0_GA.jar' into the patches folder.
     4. Restart all the components.
     5. Run a scan.

Additionally, you can verify the fix by hitting the URL "https://localhost:1505" in a browser after applying the patch and verify the response headers listed under the browser Network tab for that URL. You should now see the below response headers:
Strict-Transport-Security: max-age=31556926; includeSubDomains
Content-Security-Policy: default-src *; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline'; connect-src * 'unsafe-inline'; frame-src *;
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1;mode=block


To cross check the same at your end, use below command, this will display all the response headers returned by server.

Note- You need to install curl it if it is not installed.

curl -I http://localhost:1506/#/


curl -I http://localhost:1505/


2. patch_DE417146_10.4.0_GA_2099.jar
Steps to apply the patch for port 2099.
       1. Shutdown all the running component.
       2. Go to- LISA_HOME/lib/patches (if patches folder is not there please create it).
       3. copy and paste the patch(patch_DE417146_10.4.0_GA_2099.jar) into patches folder.
       4. Start your all components.
       5. Run your security check.


3. There is no jar for 51112.. but a series of steps
Steps for fixing 51112:


1. Go to <LISA_HOME>/IdentityAccessManager/standalone/configuration folder.
2. Take the back up of standalone.xml
3. Open standalone.xml of configuration folder.
4. Search for <subsystem xmlns="urn:jboss:domain:undertow:4.0"> block. It has a tag name <host>
5. In the <host > tag and below <http-invoker security-realm="ApplicationRealm"/>, add the below lines:
    <filter-ref name="X-Frame-Options"/>
    <filter-ref name="x-xss-protection"/>
    <filter-ref name="strict-transport-security"/>
    <filter-ref name="content-security-policy"/>
    <filter-ref name="x-Content-type-options"/>
6- Now add the below lines under <handlers></handlers> tag in the same <subsystem xmlns="urn:jboss:domain:undertow:4.0"> block
    <filters>
       <response-header name="X-Frame-Options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
       <response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
       <response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains"/>
       <response-header name="content-security-policy" header-name="content-security-policy" header-value="default-src ; style-src 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline';         connect-src * 'unsafe-inline'; frame-src *;"/>
       <response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
    </filters>
7. Save and exit.
8. Restart IAM.