clickJacking Security vulnerability was found on Jetty that USS is using

book

Article ID: 38688

calendar_today

Updated On:

Products

CA Service Catalog CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager

Issue/Introduction

Problem: 

Security vulnerability is found on Jetty that USS is running.

Environment:  

CA Service Catalog 14.1 

Cause: 

Jetty service is only used when the USS is using web notification for communities in USS.  For security reasons, Jetty service should be shut down if USS is not using web notifications.  

Resolution:

Check portal-ext.properties file on their USS server , the following configuration parameter is set as false :

              cometd.enable=false

If the above configuration is set to false, it is confirmed that USS is not using Web  Notifications feature at all . So Jetty Service can be safely shutdown.

Note : after Jetty Service is down , Communities shall be working without any problem .

Additional Information:

If you want to go further by turning off the Communities feature in USS GUI completely, you can check the information here

Environment

Release: CASVCT99000-14.1-Service Catalog
Component: