Bug 1373347 (CVE-2016-7034)
Summary: | CVE-2016-7034 Dashbuilder: insecure handling of CSRF token | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jeremy Choi <jechoi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | alazarot, dgutierr, ed.tirelli, etirelli, jcoleman, jolee, kris.verlaenen, kverlaen, lpetrovi, mbaluch, mwinkler, nwallace, rrajasek, rzhang, tkirby, vhalbert |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
It has been reported that CSRF tokens are not properly handled in JBoss BPM suite dashbuilder. Old tokens generated during an active session can be used to bypass CSRF protection. In addition, the tokens are sent in query string so they can be exposed through the browser's history, referrers, web logs, and other sources. Attackers may be able to obtain old tokens from various sources in the network and perform CSRF attacks successfully.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-08-07 15:14:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1469742, 1469743 | ||
Bug Blocks: | 1386400, 1429673, 1521173 |
Description
Jeremy Choi
2016-09-06 05:03:41 UTC
Acknowledgments: Name: Jeremy Choi (Red Hat Product Security Team) @Jeremy Just to clarify, 1.- Any csrf attack, requires the user to be logged. Once logged the user can only get access to the pages he has been granted to (according to the permissions assigned to every page). That means, no matter what csrf token you use, the system will reject non granted requests. 2.- The above is not feasible according to #1. Also, the way the csrf protection is implemented, only the tokens generated throughout an active session can be used within the same session. So that means, if another user logs in and tries to use an old token an error is displayed. If you still consider this an issue, can you please provide a reproducer? As for, the visibility of tokens, hiding them it's not an easy task as we would need to change the way urls are generated and processed throughout the entire tooling. So, honestly, I'd leave this as that. - David - This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.4.2 Via RHSA-2017:0557 https://rhn.redhat.com/errata/RHSA-2017-0557.html This issue has been addressed in the following products: Red Hat JBoss Data Virtualization Via RHSA-2018:0296 https://access.redhat.com/errata/RHSA-2018:0296 |