Summary
In this guide ,we will discuss about various security vulnerabilities that the Administrative UI might be affected with and steps that can be taken to remediate the said vulnerability.
The Administrative UI version considered for this blog is 12.52 and above.
Vulnerability 1 : Insufficient Session Expiration
The Siteminder Administrative UI application does not terminate sessions after a reasonable period of inactivity from a user
Inactivity periods may be the result of a user leaving a logged in session unattended, or a user closing the browser without using the logout functionality. User sessions remained active after 30 minutes of inactivity.
The amount of time that is considered reasonable to be idle for in the context of this application is lower because of the administrative actions that can be performed using this application.
Resolution
The default session idle time out value is : 30 minutes.
However, you can configure this to shorter value by updating the following element in web.xml file as below:
The location of web.xml file :
12.52SP2:
<AdminUI_Install_direcotry>\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF
12.52SP1 and below:
<AdminUI_Install_direcotry>\server\default\deploy\iam_siteminder.ear\user_console.war\WEB-INF
Element to modify
<session-config>
<!-- 30 minutes -->
<session-timeout>30</session-timeout>
</session-config>
Note :
- The value are in minutes
- You will need to recycle Admin UI service after making the change.
- KB : TEC1662884
Vulnerability 2 : Lack of Cookie Attribute - Secure
The Session cookies for Admin UI (JSESSIONID) are not configured to restrict access via unencrypted channels.
The ‘secure’ directive instructs the user's browser to send the cookie only over SSL/TLS encrypted channels.
Secure is not set for the JSESSIONID cookie.
Resolution
You can enable the Secure and the HttpOnly flag by updating the following element in web.xml file as below:
The location of web.xml file is :
12.52SP2:
<AdminUI_Install_direcotry>\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF
12.52SP1:
This version is not affected with this vulnerability and doesn't have this as configuration option.
Element to modify
===============
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
Note :
- You will need to recycle Admin UI service after making the change.
- KB : TEC1126443