Bug 1216123 (CVE-2015-3158) - CVE-2015-3158 PicketLink: PicketLink IDP ignores role based authorization
Summary: CVE-2015-3158 PicketLink: PicketLink IDP ignores role based authorization
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3158
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1233305 1233306 1233307 1233308 1233309 1233310 1233311 1233312 1233313 1233314 1233315 1233316 1233317 1233318 1233319 1233320 1233321 1233322 1233323 1233324 1233325 1233326
Blocks: 1215682 1255842
TreeView+ depends on / blocked
 
Reported: 2015-04-28 14:19 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:31 UTC (History)
54 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the PicketLink Identity Provider Configuration (IDP) where, under specific conditions, the IDP ignores role-based authorization. This could lead to an authenticated user being able to access application resources that are not permitted for a given role.
Clone Of:
Environment:
Last Closed: 2016-10-18 19:27:50 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1669 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform security update 2015-08-24 19:53:53 UTC
Red Hat Product Errata RHSA-2015:1670 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform security update 2015-08-24 19:52:46 UTC
Red Hat Product Errata RHSA-2015:1671 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform security update 2015-08-24 20:10:06 UTC
Red Hat Product Errata RHSA-2015:1672 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform security update 2015-08-24 19:52:20 UTC
Red Hat Product Errata RHSA-2015:1673 0 normal SHIPPED_LIVE Moderate: jboss-ec2-eap bug fix security update 2015-08-24 19:37:02 UTC

Description Vasyl Kaigorodov 2015-04-28 14:19:53 UTC
It was reported that PicketLink IDP ignores role based authorization.
Part of original report below:

"""
For example, configure the PicketLink IDP to require a role ("manager")
for all resources ("/*").

<security-constraint>
<web-resource-collection>
<web-resource-name>Manager command</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
<role-name>Sales</role-name>
<role-name>Employee</role-name>
</auth-constraint>
</security-constraint>

Then try to access the IDP directly (http://localhost:8080/idp/), log in
as user that is not a member of manager, Sales, or Employee roles. The
server will return the contents of an index.html.

An authenticated user that is not a member of any of those roles is able
view a file located in /hosted/index.jsp or a file specified by the
HostedURI in the IDP configuration:

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"
HostedURI="/test.jsp"
AttributeManager="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager">


If the PicketLink IDP is accessed in a SP initiated flow, then an unauthorized
user is also able to generate a valid SAMLResponse and get redirected back
to the SP. The roles appear to be checked correctly at the SP, but the IDP
should have returned a 403 error.
...
The issue appears to be that the PicketLink IDP code does not check for
proper authorization after the FormAuthenticator has been invoked in the
chain.

The PicketLink IDP valve is invoked first in the chain, then the
FormAuthenticator is invoked. Once control is returned back to the
PicketLink IDP valve, it does not check for proper authorization before
returning the HostedURI or the SAMLResponse.
"""

Comment 2 Chess Hazlett 2015-06-18 15:28:31 UTC
upstream jira: PLINK-708
pull request: https://github.com/picketlink/picketlink-bindings/pull/124

Comment 4 errata-xmlrpc 2015-08-24 15:37:12 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1673 https://rhn.redhat.com/errata/RHSA-2015-1673.html

Comment 5 errata-xmlrpc 2015-08-24 15:52:30 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform

Via RHSA-2015:1672 https://rhn.redhat.com/errata/RHSA-2015-1672.html

Comment 6 errata-xmlrpc 2015-08-24 15:53:49 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1670 https://rhn.redhat.com/errata/RHSA-2015-1670.html

Comment 7 errata-xmlrpc 2015-08-24 15:56:24 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:1669 https://rhn.redhat.com/errata/RHSA-2015-1669.html

Comment 8 errata-xmlrpc 2015-08-24 16:12:36 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:1671 https://rhn.redhat.com/errata/RHSA-2015-1671.html

Comment 9 Jason Shepherd 2015-11-04 22:39:33 UTC
This issue was addressed in JON 3.3.4 via rebase on EAP 6.4.3

Comment 10 Chess Hazlett 2016-09-09 18:42:38 UTC
This issue was addressed in JDG 7.0.0 via removal of the affected AbstractIDPValve class.


Note You need to log in before you can comment on or make changes to this bug.