HTTP Tracing Vulnerability on IDM JCS Servers

book

Article ID: 195710

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

During vulnerability scanning, a customer identified the CA IDM (Identity Manager) JAVA Connector Server (JCS) was running HTTP tracing

Reference:

CVE-2003-1567,

CVE-2004-2320,

CVE-2010-0386

Cause

This is a false positive.

Environment

Release : 14.3

Component : IdentityMinder(Identity Manager)

Resolution

In general terms, the JCS is supposed to be inside the network and not exposed to the DMZ or the internet and therefore the HTTP TRACE method active should not be considered a security vulnerability.  However in this case we are able to confirm that the issue is a false positive.  HTTP TRACE is turned off on the JCS.

 

You can review this in your own environment, using Google Chrome and the development tools.

 

Open Google Chrome > Press F12 or go to developer tools > Click on Application Tab > Load the URL for your connector server in the browser header > Click on cookies on the left panel > Select your cookie > Confirm that HTTP Only is not enabled.

Note: If it doesn't show up that means it is disabled.

http://camel.apache.org/jetty.html traceEnabled false Specifies whether to enable HTTP TRACE for this Jetty consumer. By default, TRACE is turned off. In our deployment, it is off.

 

In the screenshot above you will see that HTTP Only does not have a checkbox which means it is turned off.