2.x and 3.x 

Several issues have been identified in the TCA 2.x and 3.x :

1. Outdated Third-Party Libraries

The TCA application utilizes third-party libraries with known vulnerabilities (e.g., MomentJS, JQueryUI, AngularJS, DOMPurify) that expose it to high-risk CVEs, including ReDOS attacks, XSS vulnerabilities, and code injection risks.

2. Out-of-Date Software

The software contains outdated versions (e.g., SwaggerUI, Apache, GLIBC) that are susceptible to vulnerabilities such as SSRF, Denial of Service (DoS), and privilege escalation.

3. Insufficient Access Control

Access control mechanisms in TCA are insufficient, allowing users to access unauthorized data or perform actions beyond their intended roles.

4. Information Disclosure

Verbose error messages are being returned to users, exposing stack traces and sensitive server information that could aid attackers in exploiting weaknesses.

5. Cleartext Passwords

Passwords are stored in cleartext or base64 encoded in logs, which could allow attackers to gain access to critical data or escalate privileges.

6. Brute Force Protection

Although not directly applicable to TCA, the system lacks brute force protection because it relies on an external identity provider. This is not an issue specific to the TCA platform.

7. SHA1 deprecated setting for SSH

In TCA 2.3, weak MAC is present as hmac-sha1 but in the TCA 3.x sshd configuration contains only 'strong' MACs hmac-sha2-512,hmac-sha2-256.

8. Weak SSL/TLS Key Exchange

In TCA 2.3, Appliance Manager (port 9443) has a separate configuration for TLS, which supports only TLS 1.2 and some older ciphers for compatibility and this configuration is not possible to change. Since TCA 3.x, both 443 and 9443 share the same TLS configuration with 'modern' cipher suite.

Fixed in the TCA 3.1.1:

1. Outdated Libraries: All but one vulnerability related to outdated libraries will be mitigated. The remaining issue with Java Library Disclosure (information disclosure) is planned for TCA 3.2.
2. Outdated Software: Security updates addressing vulnerabilities in components like SwaggerUI and Apache will be applied in TCA 3.1.1.
3. Insufficient Access Control: Enhanced access control mechanisms will be implemented in TCA 3.1.1 to address this vulnerability.
4. Information Disclosure: Verbose error messages will be replaced with custom error pages, reducing the risk of sensitive information exposure.
5. Cleartext Passwords: Password management will be improved to remove cleartext passwords from logs in TCA 3.1.1.

Items has not beed fixed in TCA 3.1.1:

• Brute Force Protection: As brute force protection is handled by an external identity provider, this is considered a "Won't Fix" and will not be addressed in any version of TCA.

Fixes planned for TCA 3.2:

• Java Library Disclosure: This vulnerability related to information disclosure is targeted for resolution in TCA 3.2.