clickJacking Security vulnerability was found on Jetty that USS is using

Article Id: 38688

Status: Published

Updated On: 14-02-2018 07:55

Legacy Id: TEC1655155

Products:

CA Service Catalog , CA Service Management - Asset Portfolio Management , CA Service Management - Service Desk Manager

Issue/Introduction:

Problem:

Security vulnerability is found on Jetty that USS is running.

Environment:

CA Service Catalog 14.1

Cause:

Jetty service is only used when the USS is using web notification for communities in USS. For security reasons, Jetty service should be shut down if USS is not using web notifications.

Resolution:

Check portal-ext.properties file on their USS server , the following configuration parameter is set as false :

cometd.enable=false

If the above configuration is set to false, it is confirmed that USS is not using Web Notifications feature at all . So Jetty Service can be safely shutdown.

Note : after Jetty Service is down , Communities shall be working without any problem .

Additional Information:

If you want to go further by turning off the Communities feature in USS GUI completely, you can check the information here

Environment:

Release: CASVCT99000-14.1-Service Catalog
Component: