[mitreid-connect] Security Status | OpenID-Connect-Java-Spring-Server | CVE-2021-26715

Justin Richer jricher at mit.edu
Fri Sep 10 08:20:24 EDT 2021


The vulnerability as described is a known limitation within the protocols and not unique to the MITREid Connect project. Any time you let an outside party provide a URL that is meant to be fetched by the server, that URL could have bad effects. Therefore, ALL URLs that are outbound calls from the AS need to be protected: it’s a server-wide protection, not specific to the MITREid Connect software itself. 

The reporters of the CVE entry contacted us with a proposed fix that addressed only the “logo_uri” value, without addressing any of the others. In addition, the proposed fix for the “logo_uri” would have potential privacy impacts on end-users. Since this fix was both incomplete and had other problems, the proposed fix was not applied to the software.

In short, the actual fix is at the server level, to configure the hosted environment to not allow the AS to fetch these kinds of URLs directly, or blocklist internal URLs from any user-supplied values (and especially not just the logo URI).

 — Justin

> On Sep 6, 2021, at 11:31 AM, Pereira Roque Lino, Jose Eduardo <jose.roque_lino at siemens.com> wrote:
> 
> Dear MITREid Connect,
> 
> I'm reaching out as a member of the Siemens Vulnerability Monitoring (SVM) team, responsible for informing Siemens customers and employees about vulnerabilities affecting third-party components. We focus in vulnerability analysis and reply mostly on public available information, without reproducing reported exploits.
> 
> We are currently investigating a vulnerability with assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-26715. Further details on the vulnerability can be found in this link https://nvd.nist.gov/vuln/detail/CVE-2021-26715 <https://nvd.nist.gov/vuln/detail/CVE-2021-26715>.
> 
> It is unclear to us, whether the vulnerability has been addressed in the corresponding product:
> • OpenID-Connect-Java-Spring-Server: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server <https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server>
> Could you please shortly elaborate whether there are plans to publish a release, which includes the fix, and when is the expected release date? This information would help us to inform our users accordingly.
> 
> With best regards,
> José Lino
> 
> Siemens S.A.
> CYS DEF EU2
> Rua Irmaos Siemens, 1
> 2720-093 Amadora, Portugal 
> mailto:jose.roque_lino at siemens.com <mailto:jose.roque_lino at siemens.com>
>  
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect <http://mailman.mit.edu/mailman/listinfo/mitreid-connect>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20210910/ba68755c/attachment.html


More information about the mitreid-connect mailing list