[midPoint] Security Advisory: User changes and user session updates

Radovan Semancik radovan.semancik at evolveum.com
Mon Sep 9 18:24:34 CEST 2019 

Date: 9 September 2019
Severity: Low (CVSS 0.1 - 3.9)
Affected versions: all released midPoint versions before 4.0
Fixed in versions: 4.0

Description

Sessions of users logged-in to midPoint user interface are unaffected by 
the change of user profiles - until users log in again. E.g. Logged-in 
user will stay active even if user profile is disabled. Logged-in user 
can use privileges even if a role is revoked during validity of user 
session.

Severity and Impact

As user privileges and not revoked immediately, there is an "interval of 
vulnerability" during which user could use privileges that are no longer 
valid for that user.

Mitigation

Partial solution for the problem is provided in midPoint 4.0: 
administrator can explicitly delete sessions of affected user. There is 
a new "Logged-in users" page under "Internals configuration".

Discussion and Explanation

At the time when midPoint started such handling of user sessions was a 
common practice in almost all web applications. Therefore this request 
is, strictly speaking, not a bug report. It is closer to a feature 
request. And up until now there was no request from any of midPoint 
subscribers or users to change this behavior. And that was the reason 
that midPoint works like it worked many years ago.

However, we fully acknowledge that time are changing and that there is 
now a need to a higher standard of security and convenience. Therefore 
we have decided that even though this feature was not explicitly request 
by any midPoint subscriber, we will plan to integrate it into midPoint 
roadmap. Unfortunately there is no simple solution at the moment. 
MidPoint deployments are often clustered, which means that user sessions 
are distributed across several nodes. The situation is further 
complicated by frequent changes to user objects. Aggressive 
implementation of session invalidation would cause a severe performance 
impact. Therefore we have decided to provide a partial stop-gap solution 
in midPoint 4.0, which will be followed by improvements in subsequent 
midPoint releases.

Credit

This issue was reported by Tauheed Khanby the means of EU-Free and Open 
Source Software Auditing (EU-FOSSA2) project.

See Also

https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+User+changes+and+user+session+updates

-- 
Radovan Semancik
Software Architect
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190909/507c2e15/attachment.htm>

More information about the midPoint mailing list