[midPoint] Security Advisory: Plain text password in task objects in repository

Tue May 28 08:42:06 CEST 2019

Substantial help in finding this issue was provided by Arnošt Starosta.
Thank you, Arnošt. M.

*Martin Lízner*
chief solution architect

gsm: [+420] 737 745 571
e‑mail: martin.lizner at ami.cz

*AMI Praha a.s.*
Pláničkova 11, 162 00 Praha 6

tel.: [+420] 274 783 239 | web: www.ami.cz

[image: AMI Praha a.s.]

Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.

Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat
důvěrné nebo osobní
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně,
informujte o tom prosím
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
všech jeho příloh. Nakládáním
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.

čt 23. 5. 2019 v 9:51 odesílatel Radovan Semancik <
radovan.semancik at evolveum.com> napsal:

> Date: 23 May 2019
> Severity: Low (CVSS 0.1-3.9)
> Affected versions: all released midPoint versions
> Fixed in versions: 4.0 (unreleased), 3.9.1 (unreleased), 3.8.1
> (unreleased), 3.7.3 (unreleased), 3.6.2 (unreleased)
>
> Description
>
> Plaintext passwords are sometimes stored in task objects in the
> repository (database).
>
> Severity and Impact
>
> Tasks dealing with password manipulation (e.g. when doing bulk or
> asynchronous password reset) may contain plaintext password values. So a
> user that is able to retrieve these tasks from the repository can see them.
>
> Most midPoint deployment are not affected by this issue at all. By
> default, there are no tasks that manipulate passwords, unless created
> explicitly by the midPoint administrator. Also, default midPoint
> configuration does not allow access to arbitrary task objects by anyone
> else than system administrator.
>
> Mitigation
>
> MidPoint users are advised to upgrade their deployments to the latest
> builds from the support branches.
> As this is a low severity issue, it is not forcing official maintenance
> releases of midPoint. However, the fix is provided in all the support
> branches.
>
> Discussion and Explanation
>
> MidPoint can execute custom tasks on background. Typical ones are bulk
> actions (midPoint scripting) tasks and tasks that asynchronously execute
> specified object changes. Actions or changes to be executed are stored
> directly in these tasks. Although midPoint encrypts all the data that is
> to be stored into repository, it did not do that consistently and some
> data – namely, data related to object changes – passed through this
> encryption routine unnoticed.
>
> The midPoint code was fixed to be able to recognize password data in
> more depth than before. However, there are some conditions that must be
> fulfilled here: basically, values to be protected must be marked as
> such. Please see this wiki page for more information:
>
> https://wiki.evolveum.com/display/midPoint/How+to+provide+password+values+to+bulk+actions+(and+other+task+types)+securely
>
> Credit
>
> This issue was reported by Martin Lízner by the means of EU-Free and
> Open Source Software Auditing (EU-FOSSA2) project.
>
> See Also
>
>
> https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+Plain+text+password+in+task+objects+in+repository
>
> --
> Radovan Semancik
> Software Architect
> evolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190528/33ef0fd3/attachment.htm>