Bug 1194832 (CVE-2015-0277)

Summary: CVE-2015-0277 PicketLink: SP does not take Audience condition of a SAML assertion into account
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cdewolf, dandread, darran.lofthouse, jason.greene, jawilson, kkhan, lgao, myarboro, pgier, psilva, pskopek, pslavice, rsvoboda, security-response-team, twalsh, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the way PicketLink's Service Provider and Identity Provider handled certain requests. A remote attacker could use this flaw to log to a victim's account via PicketLink.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:39:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1194840, 1194841    
Bug Blocks: 1194821, 1212496    

Description Chess Hazlett 2015-02-20 21:08:12 UTC
flaw 1: in case a PicketLink Service Provider is accessed with assertion with AudienceRestriction element in Conditions element, and Audience elements contains only URIs of parties the SP is not a member of, SP consider such assertion to be valid. However according to SAML2 specification: the audience restriction condition evaluates to Valid if and only if the SAML relying party is a member of one or more of the audiences specified.
Lets have service providers SP1 and SP2, and an identity provider IdP. SP1 and SP2 uses IdP for authentication. Because of the bug, an assertion intended for SP1 could be misused to login to SP2 -- in case an attacker catches the assertion, he could log in not only to SP1 but also to SP2.

flaw 2: In case a PicketLink SP is accessed with assertion with a Destination attribute in Response element, and the Destination attribute is set to any URI, SP never discards response. However according to SAML2 specification, If it is present, the actual recipient MUST check that the URI reference identifies the location at which the massage was received. If it does not, the response MUST be discarded.

Comment 2 JBoss JIRA Server 2015-02-23 15:41:05 UTC
Pedro Igor <pigor.craveiro> updated the status of jira PLINK-680 to Resolved

Comment 5 Martin Prpič 2015-04-16 09:20:16 UTC

This issue was discovered by Ondrej Kotek of Red Hat.

Comment 6 errata-xmlrpc 2015-04-16 15:39:52 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4.0

Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html

Comment 7 errata-xmlrpc 2015-04-16 16:30:14 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:0847 https://rhn.redhat.com/errata/RHSA-2015-0847.html

Comment 8 errata-xmlrpc 2015-04-16 16:32:40 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:0846 https://rhn.redhat.com/errata/RHSA-2015-0846.html

Comment 9 errata-xmlrpc 2015-04-16 16:35:14 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:0848 https://rhn.redhat.com/errata/RHSA-2015-0848.html