search cancel

Security problem with HTTP TRACE Requests

book

Article ID: 239500

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We have a security problem with the Layer7 API Gateway 10.1 CR01
There was a pentest and hereby we found a problem with the implementation of the TRACE method in Layer7 API Gateway.
The return of 405 is ok, but the mirroring of the input headers (e.g. the authorization-header) is a security issue.

Environment

Release : 10.1

Component : API GATEWAY

Resolution

This will be fixed in CR2 as it was caused by a upgrade of tomcat library files