Bug 1392829 (CVE-2016-8638)

Summary: CVE-2016-8638 ipsilon: DoS via logging out all open SAML2 sessions
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cbuissar, grocha, ksiddiqu, psampaio, puiterwijk, rcritten, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in ipsilon in the SAML2 provider's handling of sessions. An attacker able to hit the logout URL could determine what service providers other users are logged in to and terminate their sessions.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-21 13:36:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1394116, 1394117, 1396973    
Bug Blocks: 1392831    
Attachments:
Description Flags
Upstream patch none

Description Adam Mariš 2016-11-08 10:34:27 UTC 
Description
===========

A vulnerability in ipsilon was found that allows attacker to log out active
sessions of other users. This issue is related to how it tracks sessions, and
allows an unauthenticated attacker to view and terminate active sessions from
other users.


Affected versions
=================

All versions of Ipsilon 2.0 before 2.0.2 are vulnerable.
All versions of Ipsilon 1.2 before 1.2.1 are vulnerable.
All versions of Ipsilon 1.1 before 1.1.2 are vulnerable.
All versions of Ipsilon 1.0 before 1.0.3 are vulnerable.

Reference
=========
https://ipsilon-project.org/advisory/CVE-2016-8638.txt

Upstream patch
==============
https://pagure.io/ipsilon/c/511fa8b7001c2f9a42301aa1d4b85aaf170a461c
Comment 1 Adam Mariš 2016-11-08 10:34:33 UTC 
Acknowledgments:

Name: Patrick Uiterwijk (Red Hat), Howard Johnson
Comment 2 Adam Mariš 2016-11-08 12:34:55 UTC 
Created attachment 1218514 [details]
Upstream patch
Comment 8 Cedric Buissart 2016-11-21 10:09:19 UTC 
Created ipsilon tracking bugs for this issue:

Affects: fedora-all [bug 1396973]
Comment 9 errata-xmlrpc 2016-11-21 11:22:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2809 https://rhn.redhat.com/errata/RHSA-2016-2809.html
Comment 10 Pedro Sampaio 2017-12-18 13:21:04 UTC 
*** Bug 1526610 has been marked as a duplicate of this bug. ***