The CA API Gateway must generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.

From CA API Gateway ALG Security Technical Implementation Guide

Part of SRG-NET-000273-ALG-000129

Associated with: CCI-001312

SV-86011r1_rule The CA API Gateway must generate error messages that provide the information necessary for corrective actions without revealing information that could be exploited by adversaries.

Vulnerability discussion

Providing too much information in error messages risks compromising the data and security of the application and system.Organizations must carefully consider the structure/content of error messages. The required information within error messages will vary based on the protocol and error condition. Information that could be exploited by adversaries includes, for example, ICMP messages that reveal the use of firewalls or access-control lists.The CA API Gateway must include within the Registered Services Policies customized error responses revealing only the necessary information as required by the organization.

Check content

Open the CA API Gateway - Policy Manager and double-click all Registered Services that require a customized error response, revealing only the necessary information about an error. Verify the "Customize Error Response" Assertion is included in the policy and placed in accordance with organizational requirements. If it is not, this is a finding.

Fix text

Open the CA API Gateway - Policy Manager and double-click each of the Registered Services that require a customized error response and did not include a "Customize Error Response" Assertion. Add the "Customize Error Response" Assertion to the policy, placing and configuring it in accordance with organizational requirements.

Pro Tips

Powered by sagemincer