search cancel

Vulnerabilities in Threat Analytics for PAM

book

Article ID: 255182

calendar_today

Updated On:

Products

CA Threat Analytics for PAM

Issue/Introduction

The client is using TA 2.3 and did a scan using Nessus found some medium vulnerabilities:

For the first 3 (SSL Certificate Cannot Be Trusted, SSL Self-Signed Certificate and TLS Version 1.1 Protocol Deprecated)  suggested that they follow the steps in the manual that instruct how to configure the Threat Server SSL Settings.

Medium vulnerability from Report (nginx < 1.17.7 Information Disclosure) with medium severity found by the client that points to id 134220 (at this link: https://www.tenable.com/plugins/nessus/134220) which suggests an upgrade from nginx to version 1.17.7 or higher.

As Threat Analytics 2.3 is running with a minor version, how address this ?

Environment

Release : 2.2.3

Resolution

Engineering confirmed that PAM TA 2.2.3 and up are not vulnerable to CVE-2019-20372 (NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer) by default as are not using error_page variable in the nginx configuration.
About TLS 1.2 question There is an option to add TLS1.2 only on the UI and save