1 Reply Latest reply on Aug 19, 2016 10:11 AM by pcraveiro

Picketlink security issues CVE-2015-6254, CVE-2015-3158 and CVE-2015-0277 in WildFly 10

brianpreuss Aug 12, 2016 5:35 AM

Hi there,

I've recently integrated the OWASP Dependency Checker into our build. Our project uses WildFly 10. The OWASP Dependency Checker find several issues related to WildFly 10 and Picketlink which are

CVE-2015-6254

The (1) Service Provider (SP) and (2) Identity Provider (IdP) in PicketLink before 2.7.0 does not ensure that the Destination attribute in a Response element in a SAML assertion matches the location from which the message was received, which allows remote attackers to have unspecified impact via unknown vectors. NOTE: this identifier was SPLIT from CVE-2015-0277 per ADT2 due to different vulnerability types.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6254

related Picketlink JIRA issues:

https://issues.jboss.org/browse/PLINK-680 2.7.0.Final
https://issues.jboss.org/browse/PLINK-678 2.7.0.Final

CVE-2015-3158

The invokeNextValve function in identity/federation/bindings/tomcat/idp/AbstractIDPValve.java in PicketLink before 2.8.0.Beta1 does not properly check role based authorization, which allows remote authenticated users to gain access to restricted application resources via a (1) direct request or (2) request through an SP initiated flow.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3158

related Picketlink JIRA issues:

https://issues.jboss.org/browse/PLINK-708

CVE-2015-0277

The Service Provider (SP) in PicketLink before 2.7.0 does not ensure that it is a member of an Audience element when an AudienceRestriction is specified, which allows remote attackers to log in to other users' accounts via a crafted SAML assertion. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6254 for lack of validation for the Destination attribute in a Response element in a SAML assertion.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0277

related Picketlink JIRA issues:

[PLINK-678] SP does not take Audience condition of a SAML assertion into account - JBoss Issue Tracker

The only clue I could find is the issue [WFLY-6360] Upgrade picketlink 2.5.5.SP1 to 2.5.5.SP2 - JBoss Issue Tracker included in WildFly 10.1.0.CR1. But I can't find any information or release note for Picketlink 2.5.5.SP2.

Where are the release notes for Picketlink 2.5.5.SP2? Contains this version fixes for the above mentioned CVEs?

Regard,

Brian Preuß

Koblenz, Germany

1. Re: Picketlink security issues CVE-2015-6254, CVE-2015-3158 and CVE-2015-0277 in WildFly 10

pcraveiro Aug 19, 2016 10:11 AM (in response to brianpreuss)

Hi,

I was informed that those CVEs were included to the product version of PL. The version is 2.5.5.SP2-redhat-1, which I'm not sure it is the same as the one afforded mentioned. I'm still waiting for answers about this version mismatch from our productization team. As soon as I get them, I'll post here.

Regards.
Pedro Igor
Actions