[midPoint] Security Advisory: Workitem identifier weakness

Radovan Semancik radovan.semancik at evolveum.com
Thu Apr 18 11:16:17 CEST 2019 

Date: 18 Apr 2019
Severity: Medium (CVSS 4.3)
Affected versions: all midPoint versions up to 3.9
Fixed in versions: 3.9.1 (unreleased), 3.8.1 (unreleased), 3.7.2 
(unreleased), 3.6.2 (unreleased)

Description

Any approver can display any workitem by guessing its short identifier.

Severity and Impact

This is medium-severity issue. The attacker can get read access to 
information stored in workitems that should otherwise be inaccessible. 
Impact of this vulnerability is limited to information leakage 
(confidentiality). Attacker cannot act on those workitems (integrity is 
not impacted). Approver role is needed to exploit this vulnerability.

Mitigation

MidPoint users are advised to upgrade their deployments to the latest 
builds from the support branches.
As this is a medium severity issue, it is not forcing official 
maintenance releases of midPoint. However, the fix is provided in all 
the support branches.

Discussion and Explanation

MidPoint 3.9 and earlier relied on Actitivi for all workflow-related 
processing. Activiti is a general-purpose workflow engine and the design 
of Activiti is based on a different paradigms that the design of 
midPoint. Therefore during the course of midPoint development there were 
often integration difficulties and compromise solutions have to be 
implemented. This vulnerability may be considered an indirect 
consequence of such a compromise. Temporary solution that significantly 
reduces the probability of identifier guessing was implemented for 
midPoint 3.9 and earlier.

The "conceptual incompatibility" of Activiti and midPoint core was also 
one of the reason for a decision to remove Activiti component in 
midPoint 4.0 and later. MidPoint 4.0 is using a completely different 
mechanism for dealing with workitems which is conceptually compatible 
with the rest of midPoint and especially with midPoint authorization 
mechanism.

Credit

Variants of this issue were reported by Martin Liznerby the means of 
EU-Free and Open Source Software Auditing (EU-FOSSA2) project.

See Also

https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+Workitem+identifier+weakness

-- 
Radovan Semancik
Software Architect
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190418/b791cc69/attachment.htm>

More information about the midPoint mailing list