KB Article #178496

Security vulnerabilities, reported against SecureTransport, without formal (CVE / CWE) identifier

The current KB outlines security vulnerabilities, without a formal CVE/CWE identifier, recently reported against SecureTransport Application as well as provides information on versions, where a fix is planned/released.


List of security vulnerabilities, with CVE Identifiers, reported against SecureTransport application itself and/or ST Appliance OS, are available within the following KB articles:



Vulnerability summary
Internal ID ST version affected ST version fixed Comment
FTP DoS when user exists RDST-864
RDST-871
5.2.1 SP4
5.3.1
5.2.1 SP7 Patch 7
5.3.1 Patch 11
SecureTransport used to not disconnect FTP users after number of failed authentication attempts when the user exists in ST. The number can be configured in the Admin UI > Setup > Miscellaneous > Disconnect after X failed login attempts. This works as expected for SSH transfers. It also works as expected when the user does not exist. When the user exists however, they can try to brute force the password or DOS the server indefinitely.
Issue is fixed in 5.2.1 SP7 patch 7 and 5.3.1 Patch 11 and above .
Apply policy on temp passwords RDST-54 -
5.3.x
Issue is no longer observed with replacing RBFT with Ad-Hoc and WAP
Denial of Service for a single user over SFTP with unicode filename RDST-533
RDST-541
RDST-4233
5.2.x
5.3.x
-
to be fixed in consequent ST future release
DOM-based Cross-Site Scripting (XSS) RDST-534 5.2.1.x
5.2.1 SP8 DOM-based Cross-Site Scripting (XSS) vulnerabilties stem when user-provided data is consumed by Javascript and ends up getting executed at runtime.
The XSS vulnerability used to exists in the help site, which uses the MadCap software
Issue is fixed in 5.2.1 SP8

CSRF protection for the WebServices REST API is weak RDST-412 5.2.1 SP5 5.2.1 SP8
CVE-2013-7057
Issue is fixed in 5.2.1 SP8
Replace HTTP GET with POST for SITs RDST-432 5.2.1.x
5.2.1 SP8 Issue is fixed in 5.2.1 SP8
CSRF token in the GET method RDST-513
RDST-585
5.2.1.x
5.3.x
5.2.1 SP8
5.3.6
Issue fix via new configuration options for CSRF protection is included in 5.2.1 SP8 and forthcoming 5.3.6
Application Treats POST and GET Req Identically RDST-587 5.2.1.x
5.3.x
5.2.1 SP8
5.3.6
Issue fix via new configuration options for CSRF protection is included in 5.2.1 SP8 and forthcoming 5.3.6
MySQL password leak in install.log RDST-532 5.2.1.x
5.2.1 SP8 Issue is fixed in 5.2.1 SP8
Hidden Fields RDST-586 -
-
tentative plan is fix to be provided in a consequent ST release
Metadata world readable RDST-561 5.3.1
5.3.6
fix is to be included in forthcoming 5.3.6 release
ST API Documentation Disclosure RDST-582 5.2.1x
5.2.1 SP9
fix is targeted in 5.2.1 SP9 scope
Files resource doesn't evaluate referrer header RDST-250 5.3.x
5.3.6
fix is to be included in forthcoming 5.3.6 release
Application Leaks CSRF Request Token In URL RDST-401 5.2.1 SP4
5.2.1 SP8 Issue is fixed in 5.2.1 SP8
Login failures over HTTP are not reflected in the Server Log RDST-1379 5.3.3
5.3.5
5.3.6
fix is included in forthcoming 5.3.6 release
JSON parameter pollution RDST-556 5.2.1
-
Fix is to be included in future 5.2.1 service pack
Stack Traces in Error Messages reported by REST API RDST-500 5.3.1
5.3.5
5.3.6
fix is included in forthcoming 5.3.6 release
Dynamic code evaluation: Unsafe Deserialization - JMX Beans RDST-249 -
-
false positive
Dynamic code evaluation: Unsafe Deserialization in DefaultPersistenceStorage RDST-251
RDST-257
5.3.3
5.3.5
5.3.6
fix is included in forthcoming 5.3.6 release
Double - Checked Locking RDST-1524 5.3.3
5.3.5
5.3.6
fix is included in forthcoming 5.3.6 release
Sanitize CSV exports RDST-52 5.3.3 5.3.5
5.3.6
fix is included in forthcoming 5.3.6 release
Missing Secure Attribute in Encrypted Session (SSL) Cookie RDST-3699 5.3.x
5.3.5
5.3.6
fix is included in forthcoming 5.3.6 release
Address space layout randomisation (ASLR) and SELinux not enabled
RDST-4153 -
-
ST is known not to operate correctly with SELinux enabled, as explicitly stated in ST documentation .
Address space layout randomisation (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process. Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting.

Can be enabled via adding the following line to the /etc/sysctl.conf file:

kernel.randomize_va_space = 2

Although it is expected ASLR enabling to have minimal to no impact over ST operation, should it is suspected that reported issues with ST operation are due to it being enabled , one might be asked to disable it .

Basic Authentication supported for ST Admin REST Service
RDST-4254 5.3.1
-
Use certificate based authentication set to mandatory for ST admind
Multiple security vulnerabilites against spring-core-3.1.0.RELEASE.jar (Spring Framework)
RDST-3997 5.3.5
5.3.6
5.3.6
fix is included in forthcoming 5.3.6 release via upgrade of Spring Framework to non vulnerable version
Session Identifier Not Updated RDST-3702 5.3.5 patch over 5.3.5
5.3.6
fix is going to be a part of forthcoming patch over 5.3.5;
5.3.6

Persistent Cross-Site Scripting (XSS)
RDST-542
RDST-589
5.2.1.x
5.3.1.x
5.2.1 SP8
5.3.6
Fix for 5.2.1x code base is included in 5.2.1 SP8 ;
fix is going to be a part of forthcoming 5.3.6
Oracle Application Server PL/SQL Unauthorized SQL Query Execution RDST-3701 5.3.5
-
issue is a false positive, triggered by the HTTP 200 response by ST.
No information from the database, using the sample exploit code. is displayed at no given time.
Fix for the incorrect HTTP response is targeted as part of consequent ST version
Information disclosure in API responses, hostname/IP RDST-1829 5.3.1.x
5.3.3
-
fix is planned for a consequent future version
Cacheable HTTPS Responses RDST-523 5.3.0
-
fix is planned for a consequent future version
HTTP Buffer Overflow RDST-539 5.3.1
5.3.6
fixed in forthcoming 5.3.6 release
Multiple login with same credentials allowed
RDST-2382 5.0.0
-
Axway PSG does not consider this to be a security vulnerability
XSS vulnerability in custom change password RDST-2381 5.0.0
5.0.0
new build of the custom accelerator, used by the customer, with fix included has been provided
Account enumeration vulnerability in custom password reset RDST-2884 5.0.0
5.0.0
new build of the custom accelerator, used by the customer, with fix included hs been provided
Password in cleartext in Internet Explorer memory RDST-445 5.3.0
-
This defect is in IE, nevertheless a fix is planned within ST scope for a future release
ST WEB UI html and js files should not identify software vendor (Axway) RDST-1451 5.3.3
5.3.5
5.3.6
fixed in forthcoming 5.3.6 release
Path exposure in Admin Access rule error message RDST-1426 5.2.1-
5.3.3
-
fix is planned for a consequent future version
Clickjacking vulnerability RDST-1538 5.2.1- 5.3.3 -
Regarding the WAP - the X-Frame-Options header is present in all responses with value SAMEORIGIN.
Regarding the Admin UI, there is a ClickjackingProtectionFilter which sets the X-Frame-Options header to SAMEORIGIN.

In conclusion, ST is not vulnerable.

Internal IP Address Disclosure RDST-522 5.3.0
-
fix is planned for a consequent future version
Possible spamming by repeating send request in WAP RDST-516 5.3.0
-
The described behaviour must not be considered as a security vulnerability, it is a permitted user action. Also, this can not cease down the HTTP and SMTP services. However, security best practices recommend having a threshold to avoid malicious actions. Therefore, this should be addressed in future releases of SecureTransport
Cookie hijack in WAP allows malicious users to access valid ST accounts and use WAP RDST-530 5.3.1
-
Axway PSG and ST R&D statement is that this is not a vulnerability
Converted to feature enhancement request
API Verbose Error Messages RDST-528 5.2.1 SP6
-
fix is planned for a consequent future version
AdHoc subject and/or body are not sent to DLP for inspection, when they should RDST-1947 5.3.0
5.3.3
issue fixed in 5.3.3
Basic Authentication and Autocomplete=Off for Admin and RESTful API RDST-1790 5.3.1
-
CWE-308, CWE-309, and CWE-654.
Username and certificate authentication method is already available for both the Admin as well as the RESTFul API (Admin) access. Autocomplete can be set to off (/opt/Axway/SecureTransport/tomcat/admin/webapps/coreadmin/auth/login.jspx add autocomplete="off" next to method="post") however some browsers (like Firefox) ignore the value, and still save the credentials (and prompt the user of course).

Converted to enhancement request (ER 1923) to be included in future release

REST API Web Services RDST-388 5.2.1 SP3
-
The AdHoc shared folders depend on various information returned from the server such as user id, group id and others in order to work properly. Those attributes are used to implement the logic for sharing between users and business units, and associated permissions.
This is not a security threat. All this information is provided to authenticated users only and for the files they are allowed to access.
LDAP Credentials RDST-379 5.2.1 SP3
-
fix is planned for a future version
Locking Out Administrative Users RDST-380 5.2.1 SP3
-
fix is planned for a future version
User Lock RDST-378 5.2.1 SP3
5.3.3
Ability to lock the account after x predefined wrong authentication attempts, however if used in conjunction with Login Threshold Maintenance application has an automated way to unlock the accounts at predefined interval and send notifications on the actions taken
Admind session cookie exposes username RDST-382 5.2.1 SP2 - 5.3.3
-
fix is planned for a future version
Autocomplete Enabled RDST-536 5.3.0 patch 16
-
KB 102076