A medium clickjacking vulnerability has been found in VIP Enterprise Gateway(EG) console.
The remote web server does not set an X-Frame-Options response header or a Content-Security-Policy 'frame-ancestors' response header in all content responses. This could potentially expose the site to a clickjacking or UI redress attack, in which an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions.
VIP EG 9.8.4 Instructions:
Note: This patch applies only to VIP EG v.9.8.4 (Windows/Linux). Upgrade existing installations to VIP EG 9.8.4 before proceeding.
Log directly into the VIP EG 9.8.4 server machine(s). Download and extract VIP_EG984_Patch.zip onto the server.
Stop all VIP EG services, such as VIP Enterprise Gateway, SSP IdP, VIP Manager IdP, etc.
Navigate to EG install path location and delete the /server/work/jetty-*** folder (e.g.,: <INSTALL_DIR>/server/work/jetty-0.0.0.0-8232-vipconsole.war-_vipegconsole-any-)
If the self-service portal (SSP) IdP is configured, navigate to EG install path location and delete the /IDP/services/SSP/jetty-*** folder (e.g.,: <INSTALL_DIR>/IDP/services/SSP/jetty-0.0.0.0-8233-sspwebapp-_vipssp-any-)
If VIP Manager IdP is configured, then delete the /IDP/services/VIPMGR/jetty-*** folder <e.g., <INSTALL_DIR>/IDP/services/VIPMGR/jetty-0.0.0.0-8234-vipmgrwebapp-_vipmgr-any->)
Navigate to <INSTALL_DIR>/server/ext/engine.jar location and create a backup of the existing engine.jar file. Copy the new engine.jar attached to this KB into this folder.
Navigate to <INSTALL_DIR>/server/webapps/vipconsole.war location and create a backup of the existing vipconsole.war. Copy the new vipconsole.war attached to this KB into this folder.