Summary
Question
The vulnerability allows improper restriction of rendered UI layers or frames in Release Control which may result in the ability of malicious users to perform UI redress attacks. In order to resolve this issue, Micro Focus has provided the following instructions to resolve the issue.
The following steps describe how to use Tomcat’s built-in httpSecurityFilter feature to resolve this issue. Documentation on this feature is available here if additional detail or context is required: https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#HTTP_Header_Security_Filter.
- Stop Release Control and go to the <Release Control Installation Path>\servers\server-0\conf folder.
-
Edit the web.xml file to enable the filter by uncommenting the following lines:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
-
Add the following parameters to the filter:
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
The filter may resemble the following after your revision:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
-
Locate the mapping filter and then uncomment this filter.
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
-
Remove the following lines from the filter:
<dispatcher>REQUEST</dispatcher>
The filter may resemble the following after your revision:
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> - Save your changes and restart Release Control.