Vulnerabilities DevTest 10.6

book

Article ID: 193176

calendar_today

Updated On:

Products

CLOUDTEST CA Application Test CA Cloud Test Mobile MOBILECLOUD Service Virtualization

Issue/Introduction

There are some vulnerabilities found in DevTest 10.6 below:

  • HTTP Security Header Not Detected 51112
  • Session Cookie Does Not Contain the "Secure" Attribute 1505

Are there any solutions of these vulnerabilities?

Environment

Release : 10.6

Component : CA Service Virtualization

Resolution

Here are the solutions of these vulnerabilities:

  • HTTP Security Header Not Detected 51112
    The standalone.xml was specialized for one customer and should not apply other customer.
    Please revert it and follow the steps mentioned below to fix this vulnerability.
    Follow below instructions to apply the patch for 51112 port:
    1. Go to <LISA_HOME>/IdentityAccessManager/standalone/configuration folder.
    2. Take the back up of standalone.xml
    3. Open standalone.xml of configuration folder.
    4. Search for <subsystem xmlns="urn:jboss:domain:undertow:4.0"> block. It has a tag name <host>
    5. In the <host > tag and below <http-invoker security-realm="ApplicationRealm"/>, add the below lines:
        <filter-ref name="X-Frame-Options"/>
        <filter-ref name="x-xss-protection"/>
        <filter-ref name="strict-transport-security"/>
        <filter-ref name="content-security-policy"/>
        <filter-ref name="x-Content-type-options"/>
    6- Now add the below lines under <handlers></handlers> tag in the same <subsystem xmlns="urn:jboss:domain:undertow:4.0"> block
        <filters>
           <response-header name="X-Frame-Options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
           <response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
           <response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains"/>
           <response-header name="content-security-policy" header-name="content-security-policy" header-value="default-src ; style-src 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline';         connect-src * 'unsafe-inline'; frame-src *;"/>
           <response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
        </filters>
    7. Save and exit.
    8. Restart IAM.

  • Session Cookie Does Not Contain the "Secure" Attribute 1505
    The patch was created for DevTest 10.4 and this patch can be applied to DevTest 10.6. Please contact Broadcom Support to get this patch.