Summary

The COmanage Project and TAP containers have been updated to deter clickjacking attacks.

Severity

The severity of this issue is very high, as clickjacking attacks are designed to be launched remotely.

Exposure

The exposure will generally be low, as it is generally considered difficult to exploit. There are no known instances in the wild of this attack.

Recommended Mitigation

Deployments should update to the latest containers available. This applies to both Registry and Match.

Alternate Mitigations

Deployments may alternately update their Apache or other web server configurations to ensure frames can only come from the same origin. For example:

Header set Content-Security-Policy "frame-ancestors 'self';" 

Deployments supporting older browsers may wish to support older directives:

X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self' 

Discussion

"Clickjacking" is at attack whereby an attacker attempts to use multiple layers to trick a user into clicking a link they did not intend, often using an invisible iframe. More details about this sort of attack can be found here.

References

• CO-2705