How to fix vulnerability CWE–307 Improper Restriction of Excessive Authentication Attempts in Bonita version 7.10.1?
The security team has performed tests with the methodologies OWASP and Penetration Testing. Black-box and white-box tests were performed.
It has detected the following vulnerability with Bonita version 7.10.1 bundle with Tomcat version 8.5.47.
The issue detected is: CWE–307 (https://cwe.mitre.org/data/definitions/307.html)
Can you let us know if this vulnerability is fixed in the latest Bonita version 7.11.0?
If not, how can we fix it in version 7.10?
There is nothing more in version 7.11.0 to prevent brute force attacks directly in Bonita. Usually I think this is something that is handled more globally, at reverse proxy level for example (as it is more relevant maybe to filter IP addresses at this level), or by a global authentication solution (SSO).
For example: https://www.nginx.com/blog/rate-limiting-nginx/
However if you don't use a SSO solution and don't want to setup a reverse proxy for this, one solution could be to implement a custom AuthenticationManager implementation and configure Bonita to use it (see https://documentation.bonitasoft.com/bonita/7.10/user-authentication-ove...).