| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| |
| --> |
| <document xmlns="http://maven.apache.org/XDOC/2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
| xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd"> |
| |
| <properties> |
| <title>Security Advisories</title> |
| <author email="dev@syncope.apache.org">Apache Syncope Documentation Team</author> |
| </properties> |
| |
| <body> |
| |
| <section name="Security Advisories"> |
| <p>This page lists all security vulnerabilities fixed in released versions of Apache Syncope.</p> |
| <p>Please note that binary patches are never provided. If you need to apply a source code patch, use the |
| <a href="building.html">building instructions</a> or |
| <a href="docs/getting-started.html#create-project">re-generate your Maven project</a> from published archetype.</p> |
| |
| <p>If you want to report a vulnerability, please follow <a href="https://www.apache.org/security/">the procedure</a>.</p> |
| |
| <subsection name="CVE-2020-11977: Remote Code Execution via Flowable workflow definition"> |
| <p>When the Flowable extension is enabled, an administrator with workflow entitlements can use Shell Service Tasks to perform malicious operations, including but not limited |
| to file read, file write, and code execution.</p> |
| |
| <p> |
| <b>Severity</b> |
| </p> |
| <p>Low</p> |
| |
| <p> |
| <b>Affects</b> |
| </p> |
| <p> |
| <ul> |
| <li>2.1.X releases prior to 2.1.7</li> |
| </ul> |
| </p> |
| |
| <p> |
| <b>Solution</b> |
| </p> |
| <p> |
| <ul> |
| <li>2.1.X users should upgrade to 2.1.7</li> |
| </ul> |
| </p> |
| |
| <p> |
| <b>Fixed in</b> |
| </p> |
| <p> |
| <ul> |
| <li>Release 2.1.7</li> |
| </ul> |
| </p> |
| |
| <p>Read the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11977">full CVE advisory</a>.</p> |
| </subsection> |
| |
| <subsection name="CVE-2020-1961: Server-Side Template Injection on mail templates"> |
| <p>Vulnerability to Server-Side Template Injection on Mail templates enabling attackers to inject arbitrary JEXL |
| expressions, leading to Remote Code Execution (RCE) was discovered.</p> |
| |
| <p> |
| <b>Severity</b> |
| </p> |
| <p>Important</p> |
| |
| <p> |
| <b>Affects</b> |
| </p> |
| <p> |
| <ul> |
| <li>2.0.X releases prior to 2.0.15</li> |
| <li>2.1.X releases prior to 2.1.6</li> |
| </ul> |
| </p> |
| |
| <p> |
| <b>Solution</b> |
| </p> |
| <p> |
| <ul> |
| <li>2.0.X users should upgrade to 2.0.15</li> |
| <li>2.1.X users should upgrade to 2.1.6</li> |
| </ul> |
| </p> |
| |
| <p> |
| <b>Fixed in</b> |
| </p> |
| <p> |
| <ul> |
| <li>Release 2.0.15</li> |
| <li>Release 2.1.6</li> |
| </ul> |
| </p> |
| |
| <p>Read the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1961">full CVE advisory</a>.</p> |
| </subsection> |
| |
| <subsection name="CVE-2020-1959: Multiple Remote Code Execution Vulnerabilities"> |
| <p>A Server-Side Template Injection was identified in Syncope enabling attackers to inject arbitrary Java EL |
| expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. |
| Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators. When building custom |
| constraint violation error messages, they support different types of interpolation, including Java EL |
| expressions. |
| Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be |
| able to run arbitrary Java code.</p> |
| |
| <p> |
| <b>Severity</b> |
| </p> |
| <p>Important</p> |
| |
| <p> |
| <b>Affects</b> |
| </p> |
| <p> |
| <ul> |
| <li>2.1.X releases prior to 2.1.6</li> |
| </ul> |
| </p> |
| |
| <p> |
| <b>Solution</b> |
| </p> |
| <p> |
| <ul> |
| <li>2.1.X users should upgrade to 2.1.6</li> |
| </ul> |
| </p> |
| |
| <p> |
| <b>Fixed in</b> |
| </p> |
| <p> |
| <ul> |
| <li>Release 2.1.6</li> |
| </ul> |
| </p> |
| |
| <p>Read the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1959">full CVE advisory</a>.</p> |
| </subsection> |
| |
| <subsection name="CVE-2019-17557: Enduser UI XSS"> |
| <p>It was found that the EndUser UI login page reflects the successMessage parameters. |
| By this mean, a user accessing the Enduser UI could execute javascript code from URL query string.</p> |
| |
| <p> |
| <b>Severity</b> |
| </p> |
| <p>Medium</p> |
| |
| <p> |
| <b>Affects</b> |
| </p> |
| <p> |
| <ul> |
| <li>2.0.X releases prior to 2.0.15</li> |
| <li>2.1.X releases prior to 2.1.6</li> |
| </ul> |
| </p> |
| |
| <p> |
| <b>Solution</b> |
| </p> |
| <p> |
| <ul> |
| <li>2.0.X users should upgrade to 2.0.15</li> |
| <li>2.1.X users should upgrade to 2.1.6</li> |
| </ul> |
| </p> |
| |
| <p> |
| <b>Fixed in</b> |
| </p> |
| <p> |
| <ul> |
| <li>Release 2.0.15</li> |
| <li>Release 2.1.6</li> |
| </ul> |
| </p> |
| |
| <p>Read the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17557">full CVE advisory</a>.</p> |
| </subsection> |
| |
| <subsection name="CVE-2018-17186: XXE on BPMN definitions"> |
| <p>An administrator with workflow definition entitlements can use DTD to perform malicious operations, including |
| but not limited to file read, file write, and code execution.</p> |
| |
| <p> |
| <b>Severity</b> |
| </p> |
| <p>Medium</p> |
| |
| <p> |
| <b>Affects</b> |
| </p> |
| <p> |
| <ul> |
| <li>Releases prior to 2.0.11</li> |
| <li>Releases prior to 2.1.2</li> |
| </ul> |
| </p> |
| <p>The unsupported Releases 1.2.x may be also affected.</p> |
| |
| <p> |
| <b>Solution</b> |
| </p> |
| <p> |
| <ul> |
| <li>2.0.X users should upgrade to 2.0.11</li> |
| <li>2.1.X users should upgrade to 2.1.2</li> |
| </ul> |
| </p> |
| |
| <p> |
| <b>Mitigation</b> |
| </p> |
| <p>Do not assign workflow definition entitlements to any administrator.</p> |
| |
| <p> |
| <b>Fixed in</b> |
| </p> |
| <p> |
| <ul> |
| <li>Release 2.0.11</li> |
| <li>Release 2.1.2</li> |
| </ul> |
| </p> |
| |
| <p>Read the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17186">full CVE advisory</a>.</p> |
| </subsection> |
| |
| <subsection name="CVE-2018-17184: Stored XSS"> |
| <p>A malicious user with enough administration entitlements can inject html-like elements containing JavaScript |
| statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions.<br/> |
| When another user with enough administration entitlements edits one of the Entities above via Admin Console, |
| the injected JavaScript code is executed.</p> |
| |
| <p> |
| <b>Severity</b> |
| </p> |
| <p>Important</p> |
| |
| <p> |
| <b>Affects</b> |
| </p> |
| <p> |
| <ul> |
| <li>Releases prior to 2.0.11</li> |
| <li>Releases prior to 2.1.2</li> |
| </ul> |
| </p> |
| |
| <p> |
| <b>Solution</b> |
| </p> |
| <p> |
| <ul> |
| <li>2.0.X users should upgrade to 2.0.11</li> |
| <li>2.1.X users should upgrade to 2.1.2</li> |
| </ul> |
| </p> |
| |
| <p> |
| <b>Fixed in</b> |
| </p> |
| <p> |
| <ul> |
| <li>Release 2.0.11</li> |
| <li>Release 2.1.2</li> |
| </ul> |
| </p> |
| |
| <p>Read the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17184">full CVE advisory</a>.</p> |
| </subsection> |
| |
| <subsection name="CVE-2018-1322: Information disclosure via FIQL and ORDER BY sorting"> |
| <p>An administrator with user search entitlements can recover sensitive security values using the |
| <code>fiql</code> and <code>orderby</code> parameters.</p> |
| |
| <p> |
| <b>Severity</b> |
| </p> |
| <p>Medium</p> |
| |
| <p> |
| <b>Affects</b> |
| </p> |
| <p> |
| <ul> |
| <li>Releases prior to 1.2.11</li> |
| <li>Releases prior to 2.0.8</li> |
| </ul> |
| </p> |
| <p>The unsupported Releases 1.0.x, 1.1.x may be also affected.</p> |
| |
| <p> |
| <b>Solution</b> |
| </p> |
| <p> |
| <ul> |
| <li>Syncope 1.2.x users should upgrade to 1.2.11</li> |
| <li>Syncope 2.0.x users should upgrade to 2.0.8</li> |
| </ul> |
| </p> |
| |
| <p> |
| <b>Mitigation</b> |
| </p> |
| <p>Do not assign user search entitlements to any administrator.</p> |
| |
| <p> |
| <b>Fixed in</b> |
| </p> |
| <p> |
| <ul> |
| <li>Release 1.2.11</li> |
| <li>Release 2.0.8</li> |
| </ul> |
| </p> |
| |
| <p>Read the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1322">full CVE advisory</a>.</p> |
| </subsection> |
| |
| <subsection name="CVE-2018-1321: Remote code execution by administrators with report and template entitlements"> |
| <p>An administrator with report and template entitlements can use XSL Transformations (XSLT) to perform |
| malicious operations, including but not limited to file read, file write, and code execution.</p> |
| |
| <p> |
| <b>Severity</b> |
| </p> |
| <p>Medium</p> |
| |
| <p> |
| <b>Affects</b> |
| </p> |
| <p> |
| <ul> |
| <li>Releases prior to 1.2.11</li> |
| <li>Releases prior to 2.0.8</li> |
| </ul> |
| </p> |
| <p>The unsupported Releases 1.0.x, 1.1.x may be also affected.</p> |
| |
| <p> |
| <b>Solution</b> |
| </p> |
| <p> |
| <ul> |
| <li>Syncope 1.2.x users should upgrade to 1.2.11</li> |
| <li>Syncope 2.0.x users should upgrade to 2.0.8</li> |
| </ul> |
| </p> |
| |
| <p> |
| <b>Mitigation</b> |
| </p> |
| <p>Do not assign report and template entitlements to any administrator.</p> |
| |
| <p> |
| <b>Fixed in</b> |
| </p> |
| <p> |
| <ul> |
| <li>Release 1.2.11</li> |
| <li>Release 2.0.8</li> |
| </ul> |
| </p> |
| |
| <p>Read the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1321">full CVE advisory</a>.</p> |
| </subsection> |
| |
| <subsection name="CVE-2014-3503: Insecure Random implementations used to generate passwords"> |
| <p>A password is generated for a user in Apache Syncope under certain circumstances, when no existing password |
| is found. However, the password generation code is relying on insecure Random implementations, which means |
| that an attacker could attempt to guess a generated password.</p> |
| |
| <p> |
| <b>Affects</b> |
| </p> |
| <p> |
| <ul> |
| <li>Releases 1.1.0 to 1.1.7</li> |
| </ul> |
| </p> |
| |
| <p> |
| <b>Fixed in</b> |
| </p> |
| <p> |
| <ul> |
| <li>Revision <a href="http://svn.apache.org/viewvc?view=revision&revision=r1596537">1596537</a></li> |
| <li>Release 1.1.8</li> |
| </ul> |
| </p> |
| |
| <p>Read the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3503">full CVE advisory</a>.</p> |
| </subsection> |
| |
| <subsection name="CVE-2014-0111: Remote code execution by an authenticated administrator"> |
| <p>In the various places in which Apache Commons JEXL expressions are allowed (derived schema definition, |
| user / group templates, connObjectLinks of resource mappings) a malicious administrator can inject Java code |
| that can be executed remotely by the Java EE container running the Apache Syncope core.</p> |
| |
| <p> |
| <b>Affects</b> |
| </p> |
| <p> |
| <ul> |
| <li>Releases 1.0.0 to 1.0.8</li> |
| <li>Releases 1.1.0 to 1.1.6</li> |
| </ul> |
| </p> |
| |
| <p> |
| <b>Fixed in</b> |
| </p> |
| <p> |
| <ul> |
| <li>Revisions <a href="http://svn.apache.org/viewvc?view=revision&revision=r1586349">1586349</a> / <a href="http://svn.apache.org/viewvc?view=revision&revision=r1586317">1586317</a></li> |
| <li>Releases 1.0.9 / 1.1.7</li> |
| </ul> |
| </p> |
| |
| <p>Read the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0111">full CVE advisory</a>.</p> |
| </subsection> |
| </section> |
| |
| </body> |
| </document> |