Multiple CWE vulnerabilities identified after upgrading to DX UIM version 23.4 CU3
Article ID: 398802
Updated On:
Products
Issue/Introduction
We have upgraded our Development UIM application from 23.4 CU1 to latest version 23.4 CU3 for remediation of existing vulnerabilities.
After upgrade we have noticed that existing vulnerabilities are remediated successfully but new vulnerabilities are identified in the security scan report.
Below are the newly identified vulnerabilities and we need your immediate assistance to remediate these at earliest.
1. Cross-Site Request Forgery (CSRF) (CWE ID 352)
2. Insufficiently Protected Credentials (CWE ID 522)
3. Improper Following of a Certificate's Chain of Trust (CWE ID 296)
4. Inclusion of Functionality from Untrusted Control Sphere (CWE ID 829)
5. Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') (CWE ID 757)
Environment
- UIM 23.4 CU3
Cause
- Upgrade to DX UIM 23.4 CU3
- Questions about new vulnerabilities found in scan report
Resolution
Answers for each CWE point raised:
- Cross-Site Request Forgery (CSRF) (CWE ID 352)
- To address this, we will implement the nonce functionality in the content security policy. This will be available with UIM 23.4 CU5 (July 2025).
- To address this, we will implement the nonce functionality in the content security policy. This will be available with UIM 23.4 CU5 (July 2025).
- Insufficiently Protected Credentials (CWE ID 522)
- This vulnerability does not apply to UIM. UIM does not store user credentials directly. For authentication purposes, UIM utilizes JSON Web Tokens (JWT), which are stateless and do not involve storing sensitive user information in the system.
- This vulnerability does not apply to UIM. UIM does not store user credentials directly. For authentication purposes, UIM utilizes JSON Web Tokens (JWT), which are stateless and do not involve storing sensitive user information in the system.
- Improper Following of a Certificate's Chain of Trust (CWE ID 296)
- The issue here seems to be related to the customer's CA certificates, which is something they need to handle. Ensure that customers are aware of the best practices for handling certificates, like checking the CA's trust chain.
- The issue here seems to be related to the customer's CA certificates, which is something they need to handle. Ensure that customers are aware of the best practices for handling certificates, like checking the CA's trust chain.
- Inclusion of Functionality from Untrusted Control Sphere (CWE ID 829)
- Content security policy is already available with UIM under the security_headers section of wasp.cfg. Modify the contents of the key content_security_policy for desired security.
- Content security policy is already available with UIM under the security_headers section of wasp.cfg. Modify the contents of the key content_security_policy for desired security.
- Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') (CWE ID 757)
- There is a cipher list https_ciphers in wasp.cfg. By remove those vulnerable ciphers from the list will remediate this vulnerability
Additional Information
CWE: A Common Weakness Enumeration ID (CWE ID) is a unique identifier associated with a class of software or hardware weakness
Feedback
