Upgrade Guide › Upgrade Prerequisites › Steps to Address OAuth Security Vulnerability

Steps to Address OAuth Security Vulnerability

A Gateway with OAuth installed may be vulnerable to unauthorized access due to the following issues:

• OAuth SAML token grant type does not check signer of bearer token
• OAuth validation and storage endpoints do not validate TLS client certificate

Important! No known exploitations of this vulnerability have occurred at sites running the affected software.

Note: OAuth policies may be vulnerable if the SAML token grant type policy branches are present, regardless of whether they are actually used.

Affected Product Versions

Important! CA CloudMinder 1.5x must be considered affected by this vulnerability.

All currently released versions of the OAuth Toolkit and CA Mobile API Gateway are affected:

• OAuth Toolkit installed by CA API Gateway versions before 8.2
• MAG Policies installed by CA Mobile API Gateway versions before 2.2

CA CloudMinder1.5x uses a Gateway version 7.1 with MAG version 2.0.1.

Solution

A two-part solution exists, involving the following components:

• OAuth SAML Token Grant Type
• Validation with Storage Endpoints

OAuth SAML Token Grant Type

The Gateway in CA CloudMinder 1.5x does not utilize the SAML grant type. Therefore, you add a "Stop Processing" assertion at the top of a specific policy to ensure that the vulnerable policy branch is never successfully executed.

Perform the following steps for each tenant:

1. In the Gateway Policy Manager or webadmin, open the policy that is named:
   <PREFIX> MAG-<version>/Policy Fragments/grant_types/OTK grant_type=SAML
2. Disable support for the SAML Token grant type by inserting a "Stop Processing" assertion at the top of the policy.
3. Save and activate the changes.

Validation with Storage Endpoints

The Gateway in CA CloudMinder 1.5x uses some of the storage and validation endpoints that are affected by the vulnerability of lacking TLS certificate validation. Because the endpoints in question only need to be accessible by the Gateway itself, you can mitigate the vulnerability by only allowing local access.

Perform the following steps for each tenant:

1. Copy the following policy XML snippet from this document:

   <?xml version="1.0" encoding="UTF-8"?>
   <wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">
       <wsp:All wsp:Usage="Required">
           <wsp:OneOrMore wsp:Usage="Required">
               <L7p:RemoteIpAddressRange>
                   <L7p:NetworkMask intValue="8"/>
                   <L7p:StartIp stringValue="127.0.0.0"/>
               </L7p:RemoteIpAddressRange>
               <L7p:RemoteIpAddressRange>
                   <L7p:NetworkMask intValue="128"/>
                   <L7p:StartIp stringValue="::1"/>
               </L7p:RemoteIpAddressRange>
           </wsp:OneOrMore>
       </wsp:All>
   </wsp:Policy>
   

2. Search for endpoints within the folder "SecureZone - OVP":
   1. /oauth/validation/v2/client
   2. /oauth/validation/validate/v2/refreshtoken
   3. /oauth/validation/validate/v2/token
   4. /oauth/validation/validate/v2/idtoken
3. Search for endpoints within the folder "SecureZone - Storage":
   1. /oauth/clientstore/*
   2. /oauth/tokenstore/*
   3. /oauth/session/*
4. Within each policy, paste the snippet into the top of the policy. Look for results that are similar to the following graphic:
   
5. Save and then activate the modified policy.