Most Common Vulnerability addressed in CARA
Article ID: 257112
Updated On:
Products
CA Release Automation - Release Operations Center (Nolio)
Issue/Introduction
Can you please share a document which list down solution to most common vulnerabilities fixed in CARA
Environment
Release : 6.7
Component: CA RELEASE AUTOMATION CORE
Resolution
| Item | Support |
| Using components with Known Angular vulnerabilities | Angular vulnerability mentioned are known and it's a huge work to upgrade from existing Angular version to higher version. Some of these vulnerabilities are partially addressed in 6.8 and will be addressed in upcoming cumulative of 6.8 |
| Application uses SSL Cookie without secure flag set | Refer Tech Doc Security Configuration |
| Session time-out is high (or) not implemented. | Refer Vulnerabilities- Application Session not expire and no temp user account suspension |
| Application accepts special characters as user inputs |
The CARA product security team and DEV have reviewed and scan the code and rejected this vulnerability with cause "The special characters in the form field are not evaluated and we don't find any occurrence of exploiting the values with special characters". There is no possibilities of SQL injections and henceforth there will no fix for this false-positive vulnerability reported. |
| Credentials are transmitted to server in plain text | Its been verified that once you enable SSL the transmitted sensitive information from client to server is encrypted using the configured SSL certificates. |
| Application allows simultaneous logins from single user ID | This is as per design, as RA make numerous internal API call using the authenticated user. Each call result in a new session and henceforth as per design the RA allows concurrence session. For addressing the concern of tracking session details, session id logging is available in RA and cane be configured as explained in the guide Enable Session Id logging |
| Session Cookie path attribute not set | Release Automation sub components need to use cookie info like Session-ID internally, so Path attribute is set to / by product design. On the other hand, Domain attribute is not set. so, the cookie can be used in connected domain only. If you want to protect the cookie more, please consider to implement SSL and configure session.cookie.secure parameter in above document. Refer link Release Automation Session Cookie Configuration |
| Missing HTTP Security Headers | Please refer Tech Doc Security Configuration and apply the necessary configuration suggested. |
Feedback
Yes
No
Powered by
