Bug 2149181 (CVE-2022-41912)

Summary: CVE-2022-41912 crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: agerstmayr, amctagga, aoconnor, bniver, flucifre, gmeno, gparvin, grafana-maint, jburrell, jkurik, mbenjamin, mhackett, nathans, njean, owatkins, pahickey, saroy, scox, sostapov, stcannon, teagle, vereddy, vkumar, ybuenos
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: crewjam/saml 0.4.9 Doc Type: If docs needed, set a value
Doc Text:
An authentication bypass flaw was discovered in the crewjam/saml go package. A remote unauthenticated attacker could trigger it by sending a SAML request. This would allow an escalation of privileges and then enable compromising system integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-15 19:18:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2149186, 2149187, 2149188, 2149423, 2149525, 2149526, 2149527, 2149528, 2149529, 2149530    
Bug Blocks: 2149099    

Description Avinash Hanwate 2022-11-29 06:03:17 UTC 
The crewjam/saml go library prior to version 0.4.9 is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements. This issue has been corrected in version 0.4.9. There are no workarounds other than upgrading to a fixed version.

https://github.com/crewjam/saml/commit/aee3fb1edeeaf1088fcb458727e0fd863d277f8b
https://github.com/crewjam/saml/security/advisories/GHSA-j2jp-wvqg-wc2g
Comment 1 Avinash Hanwate 2022-11-29 06:26:42 UTC 
Created golang-github-crewjam-saml tracking bugs for this issue:

Affects: fedora-35 [bug 2149186]
Affects: fedora-36 [bug 2149187]
Affects: fedora-37 [bug 2149188]
Comment 10 ybuenos 2022-12-07 14:53:27 UTC 
*** Bug 2151477 has been marked as a duplicate of this bug. ***
Comment 11 errata-xmlrpc 2022-12-14 22:40:29 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:9040 https://access.redhat.com/errata/RHSA-2022:9040
Comment 12 Product Security DevOps Team 2022-12-15 19:18:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41912
Comment 14 errata-xmlrpc 2023-01-04 06:46:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:9108 https://access.redhat.com/errata/RHSA-2022:9108
Comment 15 errata-xmlrpc 2023-01-10 07:53:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:0032 https://access.redhat.com/errata/RHSA-2023:0032
Comment 16 errata-xmlrpc 2023-01-25 11:52:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2023:0237 https://access.redhat.com/errata/RHSA-2023:0237
Comment 17 errata-xmlrpc 2023-02-07 18:36:56 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:0630 https://access.redhat.com/errata/RHSA-2023:0630
Comment 18 errata-xmlrpc 2023-02-13 04:31:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2023:0574 https://access.redhat.com/errata/RHSA-2023:0574
Comment 19 errata-xmlrpc 2023-06-15 16:01:17 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642