Search Engine: Elastic

Article ID: 129602, created on Oct 11, 2016, last review on Oct 20, 2016

  • Applies to:
  • Operations Automation 7.0

Situation

Software issue #POA-106802 allows OA users communicate Domain SDK endpoint without authentication.

Impact

Users of an OA system who have access to the backnet network can communicate with Domain SDK endpoint without authorization. This may lead to situation when, for example, malicious shared hosting user can try exploiting potential weaknesses in current or future Domain plugins or Domain SDK framework it-self. It is worth to note that there is no known security weaknesses in Domain SDK / plugins that can be immediately exploited this way.

Solution

The fix is planned to be included in one of the future product updates. Until the fix is released, please use the workaround below:

One the Domain SDK service node:

  1. Backup the configuration file:

    # cp /etc/httpd.d/conf.d/pa-domain-sdk.conf{,.backup}
    
  2. Open the original file and find the line:

    <VirtualHost>
    
  3. Add the following snippet after it:

    <Location />  
     Order deny,allow  
     Deny from all  
     Allow from 192.0.2.2
    </Location>
    

    , where 192.0.2.2 is the communication (internal) IP address of management node.

  4. Reload the HTTPD service:

    # /etc/init.d/httpd reload 
    

Call to Action

Odin takes the security of our customers very seriously. To avoid the potential risks customers are encouraged to apply the suggested workaround and install the fix as soon as it is released.

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07 0871c0b47b3b86ae3b1af4c2942cd0ce 1941880841f714e458ae4dc3d9f3062d

Email subscription for changes to this article
Save as PDF