Bug 1509183 - [GSS](6.4.z) The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property in picketlink.xml
Summary: [GSS](6.4.z) The fix for CVE-2017-2582 breaks the feature of attribute replac...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.4.18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR1
: EAP 6.4.19
Assignee: Jiri Ondrusek
QA Contact: Jiri Truhlar
URL:
Whiteboard:
Depends On: 1414138
Blocks: eap6419-payload 1509801 1594389 1611832
TreeView+ depends on / blocked
 
Reported: 2017-11-03 09:50 UTC by Jiří Bílek
Modified: 2018-08-02 20:50 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1594389 (view as bug list)
Environment:
Last Closed: 2018-04-16 11:03:47 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1414138 1 None None None 2021-01-20 06:05:38 UTC
Red Hat Issue Tracker JBEAP-13506 0 Major Resolved [GSS](7.0.z) The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property in picketlink.xm... 2018-07-13 03:14:28 UTC
Red Hat Issue Tracker JBEAP-13878 0 Major Verified [GSS](7.1.z) The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property in picketlink.xm... 2018-07-13 03:14:25 UTC
Red Hat Issue Tracker JBEAP-13879 0 Major Resolved [GSS](7.2.0) The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property in picketlink.xm... 2018-07-13 03:14:25 UTC

Description Jiří Bílek 2017-11-03 09:50:14 UTC 
Picketlink/EAP 6.4.17 is passing the values as a system property but after an update to 6.4.18,  variables aren't resolved anymore at picketlink startup.
{code}
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
        <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
                BindingType="POST"
                LogOutPage="/myLogoutPage"
                IDPUsesPostBinding="true"
                SupportsSignatures="true">

                <IdentityURL>${plink.IDPurl}</IdentityURL>
                <ServiceURL>${plink.SPurl}</ServiceURL>
...
{code}

in standalone.xml we defined the system properties:
{code}
<system-properties>
...
      <property name="plink.IDPurl" value="https://www.myidp.com"/>
      <property name="plink.SPurl" value="https://mysp.com/"/>
...
{code}

Error Snippet:
{code}
2017-10-10 15:34:12,930 ERROR [org.picketlink.common] (ServerService Thread Pool -- 64) Exception creating TrustKeyManager:: java.net.MalformedURLException: no protocol: ${plink.IDPurl}
{code}

The fix for BZ1414138 is the cause of the issue.
Comment 5 Jiří Bílek 2018-01-04 16:56:33 UTC 
Verified with EAP 6.4.19.CP.CR1
Note You need to log in before you can comment on or make changes to this bug.