Security team has detected vulnerability on my CABI server.
The CABI is running on bundled 4.20 version.
Name: Web Application Potentially Vulnerable to Clickjacking
Plugin output: https://<CABI_URL>/cabijs/login.html
Advice if there is a solution or patch for this vulnerability.
Release : 20.1
Component : UIM - CABI
Follow steps below to address this
Keep backup of applicationContext-security-web.xml from cabi server
Open the applicationContext-security-web.xml file (found in ..\Nimsoft\probes\service\wasp\webapps\cabijs\WEB-INF folder).
1)Locate the "antiClickJackingEnabled" property in the webAppSecurityFilter bean, and set it to true.
Setting this property to true instructs CABI Server to include an X-Frame-Options header in every response
2) Set antiClickJackingOption to ALLOW-FROM.
3)In this case, you need to add one more property similar to it. Assign key as "antiClickJackingUri"
and value as UMP robot IP(http(s)://<FQDN or IP of ump-robot>:<port>
4)Then from IM, navigate to Raw configure of cabi probe and edit the cabi_url value. Set it to the CABI robot's FQDN like this:
Then restart both CABI and UMP robot .
Access UMP also using its FQDN.
Check if summary page gets loaded
Also might require set below in chrome to load summary dashboards in ump
1. In your browser session, navigate to chrome://flags
2. Set "SameSite by default cookies" from 'Default' to 'Disabled'
CABI Summary dashboard does not work in Chrome (UIM 9.20)
Article Id: 186993