search cancel

Most Common Vulnerability addressed in CARA

book

Article ID: 257112

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio)

Issue/Introduction

Can you please share a document which list down solution to most common vulnerabilities fixed in CARA

Environment

Release : 6.7

Component: CA RELEASE AUTOMATION CORE

Resolution

Item                                                 Support
Using components with Known Angular vulnerabilities Angular vulnerability mentioned are known and it's a huge work to upgrade from existing Angular version to higher version. Some of these vulnerabilities are partially addressed in 6.8 and will be addressed in upcoming cumulative of 6.8
Application uses SSL Cookie without secure flag set Refer Tech Doc Security Configuration
Session time-out is high (or) not implemented. Refer Vulnerabilities- Application Session not expire and no temp user account suspension
Application accepts special characters as user inputs

The CARA product security team and DEV have reviewed and scan the code and rejected this vulnerability with cause "The special characters in the form field are not evaluated and we don't find any occurrence of exploiting the values with special characters". There is no possibilities of SQL injections and henceforth there will no fix for this false-positive vulnerability reported.

Credentials are transmitted to server in plain text Its been verified that once you enable SSL the transmitted sensitive information from client to server is encrypted using the configured SSL certificates.
Application allows simultaneous logins from single user ID This is as per design, as RA make numerous internal API call using the authenticated user. Each call result in a new session and henceforth as per design the RA allows concurrence session. For addressing the concern of tracking session details, session id logging is available in RA and cane be configured as explained in the guide Enable Session Id logging
Session Cookie path attribute not set Release Automation sub components need to use cookie info like Session-ID internally, so Path attribute is set to / by product design. On the other hand, Domain attribute is not set. so, the cookie can be used in connected domain only. If you want to protect the cookie more, please consider to implement SSL and configure session.cookie.secure parameter in above document. Refer link Release Automation Session Cookie Configuration
Missing HTTP Security Headers  Please refer Tech Doc Security Configuration and apply the necessary configuration suggested.