Bug 1373347 (CVE-2016-7034)

Summary: CVE-2016-7034 Dashbuilder: insecure handling of CSRF token
Product: [Other] Security Response Reporter: Jeremy Choi <jechoi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alazarot, dgutierr, ed.tirelli, etirelli, jcoleman, jolee, kris.verlaenen, kverlaen, lpetrovi, mbaluch, mwinkler, nwallace, rrajasek, rzhang, tkirby, vhalbert
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It has been reported that CSRF tokens are not properly handled in JBoss BPM suite dashbuilder. Old tokens generated during an active session can be used to bypass CSRF protection. In addition, the tokens are sent in query string so they can be exposed through the browser's history, referrers, web logs, and other sources. Attackers may be able to obtain old tokens from various sources in the network and perform CSRF attacks successfully.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-07 15:14:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1469742, 1469743    
Bug Blocks: 1386400, 1429673, 1521173    

Description Jeremy Choi 2016-09-06 05:03:41 UTC 
It has been reported that CSRF tokens are not properly handled in JBoss BPM suite dashbuilder. Old tokens generated during an active session can be used to bypass CSRF protection. In addition, the tokens are sent in query string so they can be exposed through the browser's history, Referers, web logs, and other sources. Attackers may be able to obtain old tokens from various sources in the network and perform CSRF attacks successfully.
Comment 1 Jeremy Choi 2016-09-06 05:03:54 UTC 
Acknowledgments:

Name: Jeremy Choi (Red Hat Product Security Team)
Comment 3 David Gutierrez 2016-12-29 13:13:45 UTC 
@Jeremy  Just to clarify,

1.- Any csrf attack, requires the user to be logged. Once logged the user can only get access to the pages he has been granted to (according to the permissions assigned to every page). That means, no matter what csrf token you use, the system will reject non granted requests.

2.- The above is not feasible according to #1. Also, the way the csrf protection is implemented, only the tokens generated throughout an active session can be used within the same session. So that means, if another user logs in and tries to use an old token an error is displayed.

If you still consider this an issue, can you please provide a reproducer? 

As for, the visibility of tokens, hiding them it's not an easy task as we would need to change the way urls are generated and processed throughout the entire tooling. So, honestly, I'd leave this as that.

- David -
Comment 6 errata-xmlrpc 2017-03-16 21:10:09 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.4.2

Via RHSA-2017:0557 https://rhn.redhat.com/errata/RHSA-2017-0557.html
Comment 9 errata-xmlrpc 2018-02-13 15:48:51 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization

Via RHSA-2018:0296 https://access.redhat.com/errata/RHSA-2018:0296