ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

UIM - Clickjacking vulnerability detected on CABI 4.20

book

Article ID: 199320

calendar_today

Updated On:

Products

CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) NIMSOFT PROBES DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

Security team has detected vulnerability on my CABI server.
The CABI is running on bundled 4.20 version.

Name: Web Application Potentially Vulnerable to Clickjacking
URL: https://www.tenable.com/plugins/nessus/85582
Plugin output: https://<CABI_URL>/cabijs/login.html


Advice if there is a solution or patch for this vulnerability.



Environment

Release : 20.1

Component : UIM - CABI

Resolution

Follow steps below to address this 

Keep backup of applicationContext-security-web.xml from cabi server

Open the applicationContext-security-web.xml file (found in ..\Nimsoft\probes\service\wasp\webapps\cabijs\WEB-INF folder).

1)Locate the "antiClickJackingEnabled" property in the webAppSecurityFilter bean, and set it to true.
Setting this property to true instructs CABI Server to include an X-Frame-Options header in every response

2) Set antiClickJackingOption to ALLOW-FROM.

3)In this case, you need to add one more property similar to it. Assign key as "antiClickJackingUri"
and value as UMP robot IP(http(s)://<FQDN or IP of ump-robot>:<port>

4)Then from IM, navigate to Raw configure of cabi probe and edit the cabi_url value. Set it to the CABI robot's FQDN like this:

http(s)://<FQDN-of-cabi-robot>:<port>/cabijs

Then restart both CABI and UMP robot .

Access UMP also using its FQDN.

Check if summary page gets loaded

Example

Additional Information

Also might require set below in chrome to load summary dashboards in ump

1. In your browser session, navigate to chrome://flags

2. Set "SameSite by default cookies" from 'Default' to 'Disabled'


CABI Summary dashboard does not work in Chrome (UIM 9.20)
Article Id: 186993

https://knowledge.broadcom.com/external/article?articleId=186993

Attachments