[midPoint] Security Advisory: Plain text password in task objects in repository

Radovan Semancik radovan.semancik at evolveum.com
Thu May 23 09:51:06 CEST 2019 

Date: 23 May 2019
Severity: Low (CVSS 0.1-3.9)
Affected versions: all released midPoint versions
Fixed in versions: 4.0 (unreleased), 3.9.1 (unreleased), 3.8.1 
(unreleased), 3.7.3 (unreleased), 3.6.2 (unreleased)

Description

Plaintext passwords are sometimes stored in task objects in the 
repository (database).

Severity and Impact

Tasks dealing with password manipulation (e.g. when doing bulk or 
asynchronous password reset) may contain plaintext password values. So a 
user that is able to retrieve these tasks from the repository can see them.

Most midPoint deployment are not affected by this issue at all. By 
default, there are no tasks that manipulate passwords, unless created 
explicitly by the midPoint administrator. Also, default midPoint 
configuration does not allow access to arbitrary task objects by anyone 
else than system administrator.

Mitigation

MidPoint users are advised to upgrade their deployments to the latest 
builds from the support branches.
As this is a low severity issue, it is not forcing official maintenance 
releases of midPoint. However, the fix is provided in all the support 
branches.

Discussion and Explanation

MidPoint can execute custom tasks on background. Typical ones are bulk 
actions (midPoint scripting) tasks and tasks that asynchronously execute 
specified object changes. Actions or changes to be executed are stored 
directly in these tasks. Although midPoint encrypts all the data that is 
to be stored into repository, it did not do that consistently and some 
data – namely, data related to object changes – passed through this 
encryption routine unnoticed.

The midPoint code was fixed to be able to recognize password data in 
more depth than before. However, there are some conditions that must be 
fulfilled here: basically, values to be protected must be marked as 
such. Please see this wiki page for more information:
https://wiki.evolveum.com/display/midPoint/How+to+provide+password+values+to+bulk+actions+(and+other+task+types)+securely

Credit

This issue was reported by Martin Lízner by the means of EU-Free and 
Open Source Software Auditing (EU-FOSSA2) project.

See Also

https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+Plain+text+password+in+task+objects+in+repository

-- 
Radovan Semancik
Software Architect
evolveum.com

More information about the midPoint mailing list