flaw 1: in case a PicketLink Service Provider is accessed with assertion with AudienceRestriction element in Conditions element, and Audience elements contains only URIs of parties the SP is not a member of, SP consider such assertion to be valid. However according to SAML2 specification: the audience restriction condition evaluates to Valid if and only if the SAML relying party is a member of one or more of the audiences specified. Lets have service providers SP1 and SP2, and an identity provider IdP. SP1 and SP2 uses IdP for authentication. Because of the bug, an assertion intended for SP1 could be misused to login to SP2 -- in case an attacker catches the assertion, he could log in not only to SP1 but also to SP2. flaw 2: In case a PicketLink SP is accessed with assertion with a Destination attribute in Response element, and the Destination attribute is set to any URI, SP never discards response. However according to SAML2 specification, If it is present, the actual recipient MUST check that the URI reference identifies the location at which the massage was received. If it does not, the response MUST be discarded.
Pedro Igor <pigor.craveiro> updated the status of jira PLINK-680 to Resolved
Fixed in commits: # Audience validation http://git.app.eng.bos.redhat.com/git/picketlink25.git/commit/?h=eap-6.x&id=f89de9cc28f73e1f99d27582a64cae0f82430410 http://git.app.eng.bos.redhat.com/git/picketlink-bindings-25.git/commit/?h=eap-6.x&id=a449a83438f4d8d52c3c901908aec14233f04a16 # Destination validation http://git.app.eng.bos.redhat.com/git/picketlink25.git/commit/?h=eap-6.x&id=7b10ea2d3385804c69b672032510609831d12aad http://git.app.eng.bos.redhat.com/git/picketlink-bindings-25.git/commit/?h=eap-6.x&id=8172cc0d4986a5dc2d3a236704b3fcced6249cee
Acknowledgement: This issue was discovered by Ondrej Kotek of Red Hat.
This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.4.0 Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2015:0847 https://rhn.redhat.com/errata/RHSA-2015-0847.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 5 Via RHSA-2015:0846 https://rhn.redhat.com/errata/RHSA-2015-0846.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 7 Via RHSA-2015:0848 https://rhn.redhat.com/errata/RHSA-2015-0848.html