[EXASOL-2903] Insufficient default settings for security relevant HTTP response headers Created: 04.06.2021  Updated: 04.06.2021  Resolved: 04.06.2021

Status: Resolved
Project: EXASOL Roadmap
Component/s: None
Affects Version/s: Exasol 6.2.0, Exasol 7.0.0, Exasol 7.1.beta1
Fix Version/s: Exasol 7.1.0, Exasol 6.2.15, Exasol 7.0.10

Type: Bug Priority: Major
Reporter: Captain EXASOL Assignee: Captain EXASOL
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Blocking
Causing

 Description   

Vulnerability

Due to insufficient defaults being used for some security-relevant HTTP response headers, Exaoperaton was vulnerable to clickjacking attacks.

If a user that is logged into Exaoperation would interact with a malicious website, the website could interact with Exaoperation using the users credentials.

Workaround

We recommend an immediate update to remedy the issue.

Additionally, we recommend to only log into Exaoperation when needed and log out afterwards or use a secondary browser profile that is only used to interact with Exaoperation.

Fix

The relevant default settings for HTTP response headers were strengthened to align with security best practices. Additionally, more defenses against XSS attacks were implemented.


Generated at Sun Oct 17 08:41:25 CEST 2021 using Jira 7.13.18#713018-sha1:e1230154f8ff8cc9272975bf568fc732e806fd68.