KB Article #178496
Security vulnerabilities, reported against SecureTransport, without formal (CVE / CWE) identifier
The current KB outlines security vulnerabilities, without a formal CVE/CWE identifier, recently reported against SecureTransport Application as well as provides information on versions, where a fix is planned/released.
List of security vulnerabilities, with CVE Identifiers, reported against SecureTransport application itself and/or ST Appliance OS, are available within the following KB articles:
- KB 162467 Security Vulnerabilities (CVE) reported against SecureTransport
- KB 178493 Security vulnerabilities reported against ST appliances
| Vulnerability summary |
Internal ID | ST version affected | ST version fixed | Comment |
|---|---|---|---|---|
| FTP DoS when user exists | RDST-864 RDST-871 |
5.2.1 SP4 5.3.1 |
5.2.1 SP7 Patch 7 5.3.1 Patch 11 |
SecureTransport used to not disconnect FTP users after number of failed authentication attempts when the user exists in ST. The number can be configured in the Admin UI > Setup > Miscellaneous > Disconnect after X failed login attempts. This works as expected for SSH transfers. It also works as expected when the user does not exist. When the user exists however, they can try to brute force the password or DOS the server indefinitely.
Issue is fixed in 5.2.1 SP7 patch 7 and 5.3.1 Patch 11 and above . |
| Apply policy on temp passwords | RDST-54 | - |
5.3.x |
Issue is no longer observed with replacing RBFT with Ad-Hoc and WAP |
| Denial of Service for a single user over SFTP with unicode filename | RDST-533 RDST-541 RDST-4233 |
5.2.x 5.3.x |
- |
to be fixed in consequent ST future release |
| DOM-based Cross-Site Scripting (XSS) | RDST-534 | 5.2.1.x |
5.2.1 SP8 | DOM-based Cross-Site Scripting (XSS) vulnerabilties stem when user-provided data is consumed by Javascript and ends up getting executed at runtime.
The XSS vulnerability used to exists in the help site, which uses the MadCap software Issue is fixed in 5.2.1 SP8 |
| CSRF protection for the WebServices REST API is weak | RDST-412 | 5.2.1 SP5 | 5.2.1 SP8 |
CVE-2013-7057 Issue is fixed in 5.2.1 SP8 |
| Replace HTTP GET with POST for SITs | RDST-432 | 5.2.1.x |
5.2.1 SP8 | Issue is fixed in 5.2.1 SP8 |
| CSRF token in the GET method | RDST-513 RDST-585 |
5.2.1.x 5.3.x |
5.2.1 SP8 5.3.6 |
Issue fix via new configuration options for CSRF protection is included in 5.2.1 SP8 and forthcoming 5.3.6 |
| Application Treats POST and GET Req Identically | RDST-587 | 5.2.1.x 5.3.x |
5.2.1 SP8 5.3.6 |
Issue fix via new configuration options for CSRF protection is included in 5.2.1 SP8 and forthcoming 5.3.6 |
| MySQL password leak in install.log | RDST-532 | 5.2.1.x |
5.2.1 SP8 | Issue is fixed in 5.2.1 SP8 |
| Hidden Fields | RDST-586 | - |
- |
tentative plan is fix to be provided in a consequent ST release |
| Metadata world readable | RDST-561 | 5.3.1 |
5.3.6 |
fix is to be included in forthcoming 5.3.6 release |
| ST API Documentation Disclosure | RDST-582 | 5.2.1x |
5.2.1 SP9 |
fix is targeted in 5.2.1 SP9 scope |
| Files resource doesn't evaluate referrer header | RDST-250 | 5.3.x |
5.3.6 |
fix is to be included in forthcoming 5.3.6 release |
| Application Leaks CSRF Request Token In URL | RDST-401 | 5.2.1 SP4 |
5.2.1 SP8 | Issue is fixed in 5.2.1 SP8 |
| Login failures over HTTP are not reflected in the Server Log | RDST-1379 | 5.3.3 |
5.3.5 5.3.6 |
fix is included in forthcoming 5.3.6 release |
| JSON parameter pollution | RDST-556 | 5.2.1 |
- |
Fix is to be included in future 5.2.1 service pack |
| Stack Traces in Error Messages reported by REST API | RDST-500 | 5.3.1 |
5.3.5 5.3.6 |
fix is included in forthcoming 5.3.6 release |
| Dynamic code evaluation: Unsafe Deserialization - JMX Beans | RDST-249 | - |
- |
false positive |
| Dynamic code evaluation: Unsafe Deserialization in DefaultPersistenceStorage | RDST-251 RDST-257 |
5.3.3 |
5.3.5 5.3.6 |
fix is included in forthcoming 5.3.6 release |
| Double - Checked Locking | RDST-1524 | 5.3.3 |
5.3.5 5.3.6 |
fix is included in forthcoming 5.3.6 release |
| Sanitize CSV exports | RDST-52 | 5.3.3 | 5.3.5 5.3.6 |
fix is included in forthcoming 5.3.6 release |
| Missing Secure Attribute in Encrypted Session (SSL) Cookie | RDST-3699 | 5.3.x |
5.3.5 5.3.6 |
fix is included in forthcoming 5.3.6 release |
|
Address space layout randomisation (ASLR) and SELinux not enabled |
RDST-4153 | - |
- |
ST is known not to operate correctly with SELinux enabled, as explicitly stated in ST documentation . Address space layout randomisation (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process. Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting. Can be enabled via adding the following line to the /etc/sysctl.conf file:
kernel.randomize_va_space = 2Although it is expected ASLR enabling to have minimal to no impact over ST operation, should it is suspected that reported issues with ST operation are due to it being enabled , one might be asked to disable it . |
|
Basic Authentication supported for ST Admin REST Service |
RDST-4254 | 5.3.1 |
- |
Use certificate based authentication set to mandatory for ST admind |
|
Multiple security vulnerabilites against spring-core-3.1.0.RELEASE.jar (Spring Framework) |
RDST-3997 | 5.3.5 |
5.3.6 |
5.3.6 fix is included in forthcoming 5.3.6 release via upgrade of Spring Framework to non vulnerable version |
| Session Identifier Not Updated | RDST-3702 | 5.3.5 | patch over 5.3.5 5.3.6 |
fix is going to be a part of forthcoming patch over 5.3.5; 5.3.6 |
| Persistent Cross-Site Scripting (XSS) |
RDST-542 RDST-589 |
5.2.1.x 5.3.1.x |
5.2.1 SP8 5.3.6 |
Fix for 5.2.1x code base is included in 5.2.1 SP8 ; fix is going to be a part of forthcoming 5.3.6 |
| Oracle Application Server PL/SQL Unauthorized SQL Query Execution | RDST-3701 | 5.3.5 |
- |
issue is a false positive, triggered by the HTTP 200 response by ST. No information from the database, using the sample exploit code. is displayed at no given time. Fix for the incorrect HTTP response is targeted as part of consequent ST version |
| Information disclosure in API responses, hostname/IP | RDST-1829 | 5.3.1.x 5.3.3 |
- |
fix is planned for a consequent future version |
| Cacheable HTTPS Responses | RDST-523 | 5.3.0 |
- |
fix is planned for a consequent future version |
| HTTP Buffer Overflow | RDST-539 | 5.3.1 |
5.3.6 |
fixed in forthcoming 5.3.6 release |
|
Multiple login with same credentials allowed |
RDST-2382 | 5.0.0 |
- |
Axway PSG does not consider this to be a security vulnerability |
| XSS vulnerability in custom change password | RDST-2381 | 5.0.0 |
5.0.0 |
new build of the custom accelerator, used by the customer, with fix included has been provided |
| Account enumeration vulnerability in custom password reset | RDST-2884 | 5.0.0 |
5.0.0 |
new build of the custom accelerator, used by the customer, with fix included hs been provided |
| Password in cleartext in Internet Explorer memory | RDST-445 | 5.3.0 |
- |
This defect is in IE, nevertheless a fix is planned within ST scope for a future release |
| ST WEB UI html and js files should not identify software vendor (Axway) | RDST-1451 | 5.3.3 |
5.3.5 5.3.6 |
fixed in forthcoming 5.3.6 release |
| Path exposure in Admin Access rule error message | RDST-1426 | 5.2.1- 5.3.3 |
- |
fix is planned for a consequent future version |
| Clickjacking vulnerability | RDST-1538 | 5.2.1- 5.3.3 | - |
Regarding the WAP - the X-Frame-Options header is present in all responses with value SAMEORIGIN.Regarding the Admin UI, there is a ClickjackingProtectionFilter which sets the X-Frame-Options header to SAMEORIGIN.In conclusion, ST is not vulnerable. |
| Internal IP Address Disclosure | RDST-522 | 5.3.0 |
- |
fix is planned for a consequent future version |
| Possible spamming by repeating send request in WAP | RDST-516 | 5.3.0 |
- |
The described behaviour must not be considered as a security vulnerability, it is a permitted user action. Also, this can not cease down the HTTP and SMTP services. However, security best practices recommend having a threshold to avoid malicious actions. Therefore, this should be addressed in future releases of SecureTransport |
| Cookie hijack in WAP allows malicious users to access valid ST accounts and use WAP | RDST-530 | 5.3.1 |
- |
Axway PSG and ST R&D statement is that this is not a vulnerability Converted to feature enhancement request |
| API Verbose Error Messages | RDST-528 | 5.2.1 SP6 |
- |
fix is planned for a consequent future version |
| AdHoc subject and/or body are not sent to DLP for inspection, when they should | RDST-1947 | 5.3.0 |
5.3.3 |
issue fixed in 5.3.3 |
| Basic Authentication and Autocomplete=Off for Admin and RESTful API | RDST-1790 | 5.3.1 |
- |
CWE-308, CWE-309, and CWE-654. Username and certificate authentication method is already available for both the Admin as well as the RESTFul API (Admin) access. Autocomplete can be set to off ( /opt/Axway/SecureTransport/tomcat/admin/webapps/coreadmin/auth/login.jspx add autocomplete="off" next to method="post") however some browsers (like Firefox) ignore the value, and still save the credentials (and prompt the user of course).Converted to enhancement request (ER 1923) to be included in future release |
| REST API Web Services | RDST-388 | 5.2.1 SP3 |
- |
The AdHoc shared folders depend on various information returned from the server such as user id, group id and others in order to work properly. Those attributes are used to implement the logic for sharing between users and business units, and associated permissions.
This is not a security threat. All this information is provided to authenticated users only and for the files they are allowed to access. |
| LDAP Credentials | RDST-379 | 5.2.1 SP3 |
- |
fix is planned for a future version |
| Locking Out Administrative Users | RDST-380 | 5.2.1 SP3 |
- |
fix is planned for a future version |
| User Lock | RDST-378 | 5.2.1 SP3 |
5.3.3 |
Ability to lock the account after x predefined wrong authentication attempts, however if used in conjunction with Login Threshold Maintenance application has an automated way to unlock the accounts at predefined interval and send notifications on the actions taken |
| Admind session cookie exposes username | RDST-382 | 5.2.1 SP2 - 5.3.3 |
- |
fix is planned for a future version |
| Autocomplete Enabled | RDST-536 | 5.3.0 patch 16 |
- |
KB 102076 |