Various directories at the web application context root that are not part of the web interface are accessible using HTTP GET. In particular, the file /config/Waveset.properties is accessible, and might contain sensitive data. The fix for this bug adds a security-constraint to the web application deployment descriptor (web.xml) to block HTTP access. (ID-20070)
New installations of Oracle Waveset version 8.1.1 will include this fix. However, any existing deployments, including those upgraded to version 8.1.1 need the following added to the deployment descriptor:
<security-constraint> <web-resource-collection> <web-resource-name>Unpublished Files</web-resource-name> <url-pattern>/bin/*</url-pattern> <url-pattern>/config/*</url-pattern> <url-pattern>/doc/*</url-pattern> <url-pattern>/exporter/*</url-pattern> <url-pattern>/patches/*</url-pattern> <url-pattern>/sample/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint>
When accessing a WorkItem or TaskInstance instance through the anonymous end-user interface (for example, user/anonWorkItemEdit.jsp), the URL is based on the repository ID of the instance. Authorization now requires the anonymousUser value set in the anonLogin.jsp page to match the owner field of the repository object. (ID-21434)
Oracle Waveset can be displayed in a frameset, leaving it vulnerable to a “clickjacking” attack. This is fixed by adding frame-detection logic in the HTML rendered for every page. (ID-22406)
Added a property to the Waveset.properties file that prevents stack trace information from being displayed. (ID-22409)
By default, Oracle Waveset returns stack trace information as HTML comments when some errors occur. The stack trace is not normally visible to the end-user, but can be revealed by showing the source of the page. This stack information is very useful when diagnosing a problem, but exposes information about the execution of the web application that could be considered a security risk. It is therefore suggested that production deployments turn off the rendering of stack information with the following setting in Waveset.properties.
ui.web.disableStackTraceComments=true
This change must be done manually on each Oracle Waveset server.
By default, Oracle Waveset gives specific error messages when a login attempt fails, allowing an attacker to determine whether an account name is valid. To provide only a generic 'login failed' message, change the settings under Security -> Login -> Login Application. (ID-22574)