Symantec Access Management

Tech Tip : CA Single Sign-On :Administrative UI : Security vulnerability remediation techniques

By Ujwol posted 12-13-2016 05:46 PM

  

Summary

In this guide ,we will discuss about various security vulnerabilities that the Administrative UI might be affected with and steps that can be taken to remediate the said vulnerability.

The Administrative UI version considered for this blog is 12.52 and above.

 

Vulnerability 1  : Insufficient Session Expiration

The Siteminder Administrative UI application does not terminate sessions after a reasonable period of inactivity from a user  

Inactivity periods may be the result of a user leaving a logged in session unattended, or a user closing the browser without using the logout functionality. User sessions remained active after 30 minutes of inactivity. 

The amount of time that is considered reasonable to be idle for in the context of this application is lower because of the administrative actions that can be performed using this application. 

Resolution

The default session idle time out value is : 30 minutes. 

However, you can configure this to shorter value by updating the following element in web.xml file as below: 

 

The location of web.xml file : 

12.52SP2

<AdminUI_Install_direcotry>\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF 

 

12.52SP1 and below: 

<AdminUI_Install_direcotry>\server\default\deploy\iam_siteminder.ear\user_console.war\WEB-INF 

 

Element to modify 

<session-config> 

<!-- 30 minutes --> 

<session-timeout>30</session-timeout> 

</session-config> 

 

Note :

  • The value are in minutes
  • You will need to recycle Admin UI service after making the change.
  • KB : TEC1662884

 

Vulnerability 2  : Lack of Cookie Attribute - Secure

The Session cookies for Admin UI (JSESSIONID) are not configured to restrict access via unencrypted channels. 

The ‘secure’ directive instructs the user's browser to send the cookie only over SSL/TLS encrypted channels.

Secure is not set for the JSESSIONID cookie. 

Resolution

You can enable the Secure and the HttpOnly flag by updating the following element in web.xml file as below: 

 

The location of web.xml file is : 

12.52SP2

<AdminUI_Install_direcotry>\standalone\deployments\iam_siteminder.ear\user_console.war\WEB-INF 

 

12.52SP1:

This version is not affected with this vulnerability and doesn't have this as configuration option.

 

Element to modify 

=============== 

<cookie-config> 

<http-only>true</http-only> 

<secure>true</secure> 

</cookie-config> 

 

Note :

  • You will need to recycle Admin UI service after making the change.
  • KB : TEC1126443
0 comments
1 view

Permalink