Bug 1216123 (CVE-2015-3158)

Summary: CVE-2015-3158 PicketLink: PicketLink IDP ignores role based authorization
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, asantos, aszczucz, bdawidow, cdewolf, chazlett, dandread, darran.lofthouse, dhorton, epp-bugs, etirelli, felias, fnasser, gvarsami, hfnukal, huwang, jason.greene, jawilson, jboss-set, jbpapp-maint, jcoleman, jdg-bugs, jolee, jpallich, jshepherd, kconner, ldimaggi, lgao, lpetrovi, mbaluch, mweiler, mwinkler, myarboro, nwallace, pavelp, pgier, pslavice, rhq-maint, rrajasek, rsvoboda, rwagner, rzhang, security-response-team, slong, soa-p-jira, spinder, tcunning, theute, tkirby, ttarrant, twalsh, vhalbert, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the PicketLink Identity Provider Configuration (IDP) where, under specific conditions, the IDP ignores role-based authorization. This could lead to an authenticated user being able to access application resources that are not permitted for a given role.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-18 19:27:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1233305, 1233306, 1233307, 1233308, 1233309, 1233310, 1233311, 1233312, 1233313, 1233314, 1233315, 1233316, 1233317, 1233318, 1233319, 1233320, 1233321, 1233322, 1233323, 1233324, 1233325, 1233326    
Bug Blocks: 1215682, 1255842    

Description Vasyl Kaigorodov 2015-04-28 14:19:53 UTC 
It was reported that PicketLink IDP ignores role based authorization.
Part of original report below:

"""
For example, configure the PicketLink IDP to require a role ("manager")
for all resources ("/*").

<security-constraint>
<web-resource-collection>
<web-resource-name>Manager command</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
<role-name>Sales</role-name>
<role-name>Employee</role-name>
</auth-constraint>
</security-constraint>

Then try to access the IDP directly (http://localhost:8080/idp/), log in
as user that is not a member of manager, Sales, or Employee roles. The
server will return the contents of an index.html.

An authenticated user that is not a member of any of those roles is able
view a file located in /hosted/index.jsp or a file specified by the
HostedURI in the IDP configuration:

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"
HostedURI="/test.jsp"
AttributeManager="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager">


If the PicketLink IDP is accessed in a SP initiated flow, then an unauthorized
user is also able to generate a valid SAMLResponse and get redirected back
to the SP. The roles appear to be checked correctly at the SP, but the IDP
should have returned a 403 error.
...
The issue appears to be that the PicketLink IDP code does not check for
proper authorization after the FormAuthenticator has been invoked in the
chain.

The PicketLink IDP valve is invoked first in the chain, then the
FormAuthenticator is invoked. Once control is returned back to the
PicketLink IDP valve, it does not check for proper authorization before
returning the HostedURI or the SAMLResponse.
"""
Comment 2 Chess Hazlett 2015-06-18 15:28:31 UTC 
upstream jira: PLINK-708
pull request: https://github.com/picketlink/picketlink-bindings/pull/124
Comment 4 errata-xmlrpc 2015-08-24 15:37:12 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1673 https://rhn.redhat.com/errata/RHSA-2015-1673.html
Comment 5 errata-xmlrpc 2015-08-24 15:52:30 UTC 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform

Via RHSA-2015:1672 https://rhn.redhat.com/errata/RHSA-2015-1672.html
Comment 6 errata-xmlrpc 2015-08-24 15:53:49 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1670 https://rhn.redhat.com/errata/RHSA-2015-1670.html
Comment 7 errata-xmlrpc 2015-08-24 15:56:24 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:1669 https://rhn.redhat.com/errata/RHSA-2015-1669.html
Comment 8 errata-xmlrpc 2015-08-24 16:12:36 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:1671 https://rhn.redhat.com/errata/RHSA-2015-1671.html
Comment 9 Jason Shepherd 2015-11-04 22:39:33 UTC 
This issue was addressed in JON 3.3.4 via rebase on EAP 6.4.3
Comment 10 Chess Hazlett 2016-09-09 18:42:38 UTC 
This issue was addressed in JDG 7.0.0 via removal of the affected AbstractIDPValve class.