Symantec Identity Manager / Suite - Missing HTTPOnly and Secure Cookie Attribute with IM
Article ID: 231975
Updated On:
Products
Issue/Introduction
Vulnerability Description:
It was observed that the HTTPOnly and Secure attributes are set to no in the session cookie of the application.
Impact:
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic.
If HttpOnly flag is not set for a given cookie then the cookie can be accessed via client-side scripts and thus may lead to exposure of sensitive information stored in the cookies to unintended parties.
Screenshot
Environment
Release : 14.4, 14.5
Component : Identity Manager
Cause
3rd Party Issue
Resolution
Identity Manager / Identity Portal / Identity Governance Standalone:
Edit standalone.xml being used. (Example: standalone-full-ha.xml)
<subsystem xmlns="urn:jboss:domain:undertow:8.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" instance-id="${jboss.node.name}" default-security-domain="other">
<buffer-cache name="default"/>
<server name="default-server">
..(Cleared for readability)..
</server>
<servlet-container name="default">
<jsp-config/>
<session-cookie http-only="true" secure="true"/> <!-- add http-only and secure attributes -->
<websockets/>
</servlet-container>
</subsystem>
Stop IDM, Clear tmp and data folder then start IDM.
Identity Manager VAPP/Standalone (If you use CLI commands):
To do this on VAPP first add a new user to JBoss:
sudo /opt/CA/wildfly-idm/bin/add-user.sh
What type of user do you wish to add?
a) Management User (mgmt-users.properties)
b) Application User (application-users.properties)
(a): a
Username : <JbossAdminName>
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[ ]:
Press Enter to leave blank
About to add user '<JbossAdminName>' for realm 'ManagementRealm'
Is this correct yes/no? yes
Added user '<JbossAdminName>' to file '/opt/CA/wildfly-idm/standalone/configuration/mgmt-users.properties'
Added user '<JbossAdminName>' to file '/opt/CA/wildfly-idm/domain/configuration/mgmt-users.properties'
Added user '<JbossAdminName>' with groups to file '/opt/CA/wildfly-idm/standalone/configuration/mgmt-groups.properties'
Added user '<JbossAdminName>' with groups to file '/opt/CA/wildfly-idm/domain/configuration/mgmt-groups.properties'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? no
Next, navigate to /opt/CA/wildfly-idm/bin/
execute ./jboss-cli.sh
type: connect
Enter credentials
Once connected run the below CLI commands:
/subsystem=undertow/servlet-container=default/setting=session-cookie:write-attribute(name=secure,value=true)
/subsystem=undertow/servlet-container=default/setting=session-cookie:add(http-only=true,secure=true)
Stop Identity Manager (stop_im)
Clear JMS (deleteIDMJMSQueue)
Start Identity Manager (start_im)
For Identity Portal / Identity Governance:
sudo /opt/CA/wildfly-portal/bin/add-user.sh
sudo /opt/CA/wildfly-ig/bin/add-user.sh
Then follow the creation steps provided above and ensure that when you perform the connection requests you connect to IP/IG.
Example:
navigate to /opt/CA/wildfly-portal/bin/
execute ./jboss-cli.sh
type: connect
Enter credentials
navigate to /opt/CA/wildfly-ig/bin/
execute ./jboss-cli.sh
type: connect
Enter credentials
Additional Information
Refer to the following link with official info:
Feedback
