For customers running Apache Tomcat version 7.0.56, a vulnerability webscan of the url https://autopilot.xxx.com/navigator/ running Navigator v10.0.8.20 may reveal the following vulnerabilities:
- The response is not protected by a valid XFRAME option (DENY,SAMEORIGIN or ALLOWED-FROM)
- Configure X-Content-Type to nosniff in all responses to ensure that mime sniffing does not occur on the client-side
Solution
- Upgrade to Apache Tomcat 8.x or 9.x.
- Add <filter-mapping> and <filters> settings to the <tomcat_install>/conf/web.xml file:
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>