Veracode scan detects the following vulnerability in SiteMinder SDK 12.8.06
|
Release : All SDK versions
The vulnerability raised related to Use of Hard-coded Cryptographic key is false positive.
When the custom program (SMAgentProxy) calls createSSOToken/decodeSSOToken the encrypt/decrypt function will can get called.
The Agent Keys will be fetched to encrypt/decrypt cookies, agentname etc.
Agent Keys used in the above to encrypt the inputs are not hard-coded, instead they are being fetched from a Policy Server at regular
doMangement thread intervals. Policy Server stores these keys into secure media (Key Store).
The AgentAPI module that fetches these agent keys stores them into memory for use during any sensitive operations like encryption/decryption.
These agent keys fetched from the policy server will be rolled over based on configuration.
As these keys are not hard coded keys instead fetched from Policy Server where the keys tend to be rolled over at regular intervals, therefore, this vulnerability is a false positive for the Siteminder SDK.