Update security header for Content-Security-Policy (vulnerability CVE-2023-37272)

Vulnerability

• Users specify file names when uploading files holding user-generated documentation for JOC Cockpit. Specifically crafted file names allow an XSS attack to inject code that is executed with the browser.
• Risk Mitigation: Risk of the vulnerability is considered high for branch 1.13 of JobScheduler (JS1). The vulnerability does not affect branch 2.x of JobScheduler (JS7) for releases after 2.1.0.

Remediation

• To prevent the vulnerability users can apply the following change to their JOC Cockpit installation:
  • The security header value for Content-Security-Policy configured with JETTY_HOME/etc/jetty-rewrite.xml includes:

          <Call name="addRule">
            <Arg>
              <New class="org.eclipse.jetty.rewrite.handler.HeaderRegexRule">
                <Set name="regex">^((?!/joc/api/).)*$</Set>
                <Set name="name">Content-Security-Policy</Set>
                <Set name="value">script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'</Set>
              </New>
            </Arg>
          </Call>
    

• • The security header value for Content-Security-Policy should include:

    <Call name="addRule">
            <Arg>
              <New class="org.eclipse.jetty.rewrite.handler.HeaderRegexRule">
                <Set name="regex">^((?!/joc/api/).)*$</Set>
                <Set name="name">Content-Security-Policy</Set>
                <Set name="value">script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self'; frame-ancestors 'self'</Set>
              </New>
            </Arg>
          </Call>
    

• • JOC Cockpit has to be restarted to apply the change.
  • The change is applicable to JOC Cockpit release 1.13.11 throughout 1.13.18.
  • The new header prevents the execution of inline JavaScript. Until 1.13.18 inline JavaScript is used in a few places which will no longer work after the change is applied. These are
    • Upload button during import to the Documentation view.
      As an alternative the drag/drop functionality works. So an upload is possible!
    • Drag/drop functionality to configure a Job Chain or a Job Stream.
      The forms can be used for configuration instead of drag/drop.
      Configuring a Job Chain or a Job Stream is possible!

• The Content-Security-Policy header as implemented with SET-204 is made available starting from LTS maintenance release 1.13.19 of JobScheduler.
• Users without access to LTS maintenance releases can apply the above change to the JOC Cockpit configuration of earlier releases such as 1.13.11 (last public maintenance release) or later.