[midPoint] Security Advisory: MidPoint user interface clickjacking

Radovan Semancik radovan.semancik at evolveum.com
Thu Mar 21 09:24:53 CET 2019 

Date: 21 Mar 2019
Severity: Medium (CVSS 4.2)
Affected versions: all midPoint versions
Fixed in versions: 4.0 (unreleased),  3.9.1 (unreleased), 3.8.1 
(unreleased), 3.7.2 (unreleased)

Description

MidPoint user interface is vulnerable to clickjacking. The attacker can 
embed midPoint user interface in a frame. The victim can be tricked into 
unknowingly initiating actions in the user interface. The issue was 
caused by a missing X-Frame-Options header.

Severity and Impact

This is medium-severity issue. There is a significant potential damage 
that an attacker can cause. The attack can be relatively easy on an 
uncustomized midPoint instance. However, midPoint user interface is 
almost always customized and configured to adapt to the specific 
environment. Therefore the attack is quite complex in practical cases, 
as it requires intimate knowledge of the deployment. Also, interaction 
of a privileged user is required.

Mitigation

MidPoint users are advised to upgrade their deployments to the latest 
builds from the support branches. MidPoint 3.6.x users are advised to 
upgrade to a newer midPoint version.

As this is a medium severity issue, it is not forcing official 
maintenance releases of midPoint. However, the fix is provided in all 
the support branches, except for midPoint 3.6 support branch. MidPoint 
3.6 is using a different structural framework than later versions (i.e. 
it is not based on Spring Boot), therefore the fix cannot be directly 
backported. MidPoint 3.6 is also very close to the end of support, 
therefore midPoint 3.6 are strongly advised to upgrade to a newer 
midPoint versions as soon as possible. Albeit all those circumstances we 
can still provide fix for midPoint 3.6 in case that any midPoint 
subscriber asks for the fix.

Credit

This bug was reported by Yash Sodha (yashrs) by the means of EU-Free and 
Open Source Software Auditing (EU-FOSSA2) project.

See Also

https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+MidPoint+user+interface+clickjacking

-- 
Radovan Semancik
Software Architect
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190321/fd9bb751/attachment.htm>

More information about the midPoint mailing list