Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1216123 - (CVE-2015-3158) CVE-2015-3158 PicketLink: PicketLink IDP ignores role based authorization
CVE-2015-3158 PicketLink: PicketLink IDP ignores role based authorization
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150605,repor...
: Security
Depends On: 1233305 1233306 1233307 1233308 1233309 1233310 1233311 1233312 1233313 1233314 1233315 1233316 1233317 1233318 1233319 1233320 1233321 1233322 1233323 1233324 1233325 1233326
Blocks: 1215682 1255842
  Show dependency treegraph
 
Reported: 2015-04-28 10:19 EDT by Vasyl Kaigorodov
Modified: 2016-10-18 15:27 EDT (History)
54 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the PicketLink Identity Provider Configuration (IDP) where, under specific conditions, the IDP ignores role-based authorization. This could lead to an authenticated user being able to access application resources that are not permitted for a given role.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-10-18 15:27:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1669 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform security update 2015-08-24 15:53:53 EDT
Red Hat Product Errata RHSA-2015:1670 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform security update 2015-08-24 15:52:46 EDT
Red Hat Product Errata RHSA-2015:1671 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform security update 2015-08-24 16:10:06 EDT
Red Hat Product Errata RHSA-2015:1672 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform security update 2015-08-24 15:52:20 EDT
Red Hat Product Errata RHSA-2015:1673 normal SHIPPED_LIVE Moderate: jboss-ec2-eap bug fix security update 2015-08-24 15:37:02 EDT

  None (edit)
Description Vasyl Kaigorodov 2015-04-28 10:19:53 EDT 
It was reported that PicketLink IDP ignores role based authorization.
Part of original report below:

"""
For example, configure the PicketLink IDP to require a role ("manager")
for all resources ("/*").

<security-constraint>
<web-resource-collection>
<web-resource-name>Manager command</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
<role-name>Sales</role-name>
<role-name>Employee</role-name>
</auth-constraint>
</security-constraint>

Then try to access the IDP directly (http://localhost:8080/idp/), log in
as user that is not a member of manager, Sales, or Employee roles. The
server will return the contents of an index.html.

An authenticated user that is not a member of any of those roles is able
view a file located in /hosted/index.jsp or a file specified by the
HostedURI in the IDP configuration:

<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1"
HostedURI="/test.jsp"
AttributeManager="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager">


If the PicketLink IDP is accessed in a SP initiated flow, then an unauthorized
user is also able to generate a valid SAMLResponse and get redirected back
to the SP. The roles appear to be checked correctly at the SP, but the IDP
should have returned a 403 error.
...
The issue appears to be that the PicketLink IDP code does not check for
proper authorization after the FormAuthenticator has been invoked in the
chain.

The PicketLink IDP valve is invoked first in the chain, then the
FormAuthenticator is invoked. Once control is returned back to the
PicketLink IDP valve, it does not check for proper authorization before
returning the HostedURI or the SAMLResponse.
"""
Comment 2 Chess Hazlett 2015-06-18 11:28:31 EDT 
upstream jira: PLINK-708
pull request: https://github.com/picketlink/picketlink-bindings/pull/124
Comment 4 errata-xmlrpc 2015-08-24 11:37:12 EDT 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1673 https://rhn.redhat.com/errata/RHSA-2015-1673.html
Comment 5 errata-xmlrpc 2015-08-24 11:52:30 EDT 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform

Via RHSA-2015:1672 https://rhn.redhat.com/errata/RHSA-2015-1672.html
Comment 6 errata-xmlrpc 2015-08-24 11:53:49 EDT 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1670 https://rhn.redhat.com/errata/RHSA-2015-1670.html
Comment 7 errata-xmlrpc 2015-08-24 11:56:24 EDT 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:1669 https://rhn.redhat.com/errata/RHSA-2015-1669.html
Comment 8 errata-xmlrpc 2015-08-24 12:12:36 EDT 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:1671 https://rhn.redhat.com/errata/RHSA-2015-1671.html
Comment 9 Jason Shepherd 2015-11-04 17:39:33 EST 
This issue was addressed in JON 3.3.4 via rebase on EAP 6.4.3
Comment 10 Chess Hazlett 2016-09-09 14:42:38 EDT 
This issue was addressed in JDG 7.0.0 via removal of the affected AbstractIDPValve class.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.