It was found that Picketlink implementation replaces special strings for obtaining attribute values with system property values in SAML messages while parsing. An attacker can misuse this to determine values of system properties at the attacked system by formatting the SAML request ID field to the chosen system property name of his liking, obtaining the property value in "InResponseTo" field in the response. Upstream bug (for Keycloak): https://issues.jboss.org/browse/KEYCLOAK-4160
Upstream patch: https://github.com/keycloak/keycloak/pull/3715/commits/0cb5ba0f6e83162d221681f47b470c3042eef237
Acknowledgments: Name: Hynek Mlnarik (Red Hat)
JON-3 is not affected by this issue because it's not supported as a SSO Identity Provider.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0.8 Via RHSA-2017:2810 https://access.redhat.com/errata/RHSA-2017:2810
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2017:2808 https://access.redhat.com/errata/RHSA-2017:2808
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:2809 https://access.redhat.com/errata/RHSA-2017:2809
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:2811 https://access.redhat.com/errata/RHSA-2017:2811
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2017:3218 https://access.redhat.com/errata/RHSA-2017:3218
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:3217 https://access.redhat.com/errata/RHSA-2017:3217
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2017:3216 https://access.redhat.com/errata/RHSA-2017:3216
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:3220 https://access.redhat.com/errata/RHSA-2017:3220
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:3219 https://access.redhat.com/errata/RHSA-2017:3219
RHMAP services, UPS and Millicore don't use SAML features of embedded Keycloak.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:2740 https://access.redhat.com/errata/RHSA-2018:2740
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2018:2741 https://access.redhat.com/errata/RHSA-2018:2741
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2018:2742 https://access.redhat.com/errata/RHSA-2018:2742
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:2743 https://access.redhat.com/errata/RHSA-2018:2743
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2019:0139 https://access.redhat.com/errata/RHSA-2019:0139
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2019:0137 https://access.redhat.com/errata/RHSA-2019:0137
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2019:0136 https://access.redhat.com/errata/RHSA-2019:0136
This vulnerability is out of security support scope for the following product: * Red Hat Enterprise Application Platform 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Created picketlink tracking bugs for this issue: Affects: fedora-all [bug 1710644]