Bug 1194832 – CVE-2015-0277 PicketLink: SP does not take Audience condition of a SAML assertion into account

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1194832 - (CVE-2015-0277) CVE-2015-0277 PicketLink: SP does not take Audience condition of a SAML assertion into account

Summary:	CVE-2015-0277 PicketLink: SP does not take Audience condition of a SAML asser...

Status:	NEW

Aliases:	CVE-2015-0277

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20150414,repo...
Keywords:	Security

Depends On:	1194840 1194841
Blocks:	1194821 1212496
	Show dependency tree / graph

Reported:	2015-02-20 16:08 EST by Chess Hazlett
Modified:	2015-04-16 13:46 EDT (History)
CC List:	16 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A flaw was found in the way PicketLink's Service Provider and Identity Provider handled certain requests. A remote attacker could use this flaw to log to a victim's account via PicketLink.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
JBoss Issue Tracker	PLINK-678	Major	Resolved	SP does not take Audience condition of a SAML assertion into account	2018-10-18 15:29 EDT
JBoss Issue Tracker	PLINK-680	Major	Resolved	IdP and SP must validate destination in requests and responses	2018-10-18 15:29 EDT
Red Hat Product Errata	RHSA-2015:0846	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update	2015-04-16 16:17:12 EDT
Red Hat Product Errata	RHSA-2015:0847	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update	2015-04-16 16:13:53 EDT
Red Hat Product Errata	RHSA-2015:0848	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update	2015-04-16 16:26:01 EDT
Red Hat Product Errata	RHSA-2015:0849	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update	2015-04-16 15:39:06 EDT

Groups: None (edit)

Description Chess Hazlett 2015-02-20 16:08:12 EST

flaw 1: in case a PicketLink Service Provider is accessed with assertion with AudienceRestriction element in Conditions element, and Audience elements contains only URIs of parties the SP is not a member of, SP consider such assertion to be valid. However according to SAML2 specification: the audience restriction condition evaluates to Valid if and only if the SAML relying party is a member of one or more of the audiences specified.
Lets have service providers SP1 and SP2, and an identity provider IdP. SP1 and SP2 uses IdP for authentication. Because of the bug, an assertion intended for SP1 could be misused to login to SP2 -- in case an attacker catches the assertion, he could log in not only to SP1 but also to SP2.

flaw 2: In case a PicketLink SP is accessed with assertion with a Destination attribute in Response element, and the Destination attribute is set to any URI, SP never discards response. However according to SAML2 specification, If it is present, the actual recipient MUST check that the URI reference identifies the location at which the massage was received. If it does not, the response MUST be discarded.

Comment 2 JBoss JIRA Server 2015-02-23 10:41:05 EST

Pedro Igor <pigor.craveiro@gmail.com> updated the status of jira PLINK-680 to Resolved

Comment 3 Pedro Igor 2015-02-23 10:44:14 EST

Fixed in commits:

# Audience validation
http://git.app.eng.bos.redhat.com/git/picketlink25.git/commit/?h=eap-6.x&id=f89de9cc28f73e1f99d27582a64cae0f82430410
http://git.app.eng.bos.redhat.com/git/picketlink-bindings-25.git/commit/?h=eap-6.x&id=a449a83438f4d8d52c3c901908aec14233f04a16

# Destination validation
http://git.app.eng.bos.redhat.com/git/picketlink25.git/commit/?h=eap-6.x&id=7b10ea2d3385804c69b672032510609831d12aad
http://git.app.eng.bos.redhat.com/git/picketlink-bindings-25.git/commit/?h=eap-6.x&id=8172cc0d4986a5dc2d3a236704b3fcced6249cee

Comment 5 Martin Prpič 2015-04-16 05:20:16 EDT

Acknowledgement:

This issue was discovered by Ondrej Kotek of Red Hat.

Comment 6 errata-xmlrpc 2015-04-16 11:39:52 EDT

This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4.0

Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html

Comment 7 errata-xmlrpc 2015-04-16 12:30:14 EDT

This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:0847 https://rhn.redhat.com/errata/RHSA-2015-0847.html

Comment 8 errata-xmlrpc 2015-04-16 12:32:40 EDT

This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:0846 https://rhn.redhat.com/errata/RHSA-2015-0846.html

Comment 9 errata-xmlrpc 2015-04-16 12:35:14 EDT

This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:0848 https://rhn.redhat.com/errata/RHSA-2015-0848.html

Note You need to log in before you can comment on or make changes to this bug.