Does Standalone Orchestrator leverage Microsoft's Azure SignalR Service?

News Knowledge Base
,
1

Does Standalone Orchestrator leverage Microsoft's Azure SignalR Service?

Issue Description: Vulnerability scans run by some commercial security software may flag UiPath Orchestrator (Standalone) for privacy violations related to Microsoft's Azure SignalR Service.

There are many instances where the Azure SignalR Service endpoint (https://*.service.signalr.net) is mistaken to be an external database connection string.


Resolution: Standalone UiPath Orchestrator does not leverage Microsoft's Azure SignalR Service and does not make any connections to the Azure SignalR Service endpoint (https://*.service.signalr.net) without explicit modification to do so by Orchestrator administrators.

By default, the Azure SignalR Service endpoint (https://*.service.signalr.net) is listed in the Content-Security-Policy (CSP) HTTP header used by default. By default, Orchestrator permits the loading of content that originates from Azure SignalR Service. However, connections to this service must still be implemented and configured by Orchestrator administrators as an extension to UiPath Orchestrator's core functionality.

Therefore, these vulnerability flags may be considered false positives in most cases.