Uploaded image for project: 'mod-login-saml'
  1. mod-login-saml
  2. MODLOGSAML-50

Fix security vulnerability reported in pac4j-saml < 3.8.3

    XMLWordPrintable

Details

    • CP: sprint 91
    • 5
    • Core: Platform

    Description

      Remediation

      Upgrade org.pac4j:pac4j-saml to version 3.8.3 or later. For example: 

      <dependency>
 <groupId>org.pac4j</groupId>
 <artifactId>pac4j-saml</artifactId>
 <version>[3.8.3,)</version> 
</dependency>

      Always verify the validity and compatibility of suggestions with your codebase.

      Details CVE-2019-10755

      CVE-2019-10755

      low severity

      *Vulnerable versions:* < 3.8.3

      *Patched version:* 3.8.3

      The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.

      https://snyk.io/vuln/SNYK-JAVA-ORGPAC4J-467407 says: "This issue only affects the 3.X release of pac4j-saml." This is wrong.

      pac4j-saml 2.0.0 (used by mod-login-saml) is also affected:

      pac4j-saml 1.9.9 is also affected:

      Details CVE-2019-17195

      http://www.pac4j.org/docs/release-notes.html say:
      pac4j v3.8.3: Upgrade the nimbus-jose-jwt library to version 7.9 because of CVE-2019-17195

      TestRail: Results

        Attachments

          Issue Links

            blocks

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MODLOGSAML-65 Create mod-login-saml security release

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed
            is duplicated by

            Bug - A problem which impairs or prevents the functions of the product. MODLOGSAML-52 Fix org.pac4j:pac4j-saml security vulnerabilities

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODLOGSAML-55 org.pac4j:pac4j-saml vulnerability found in pom.xml on Nov 6, 2019

            • TBD - To be determined
            • Closed
            relates to

            Bug - A problem which impairs or prevents the functions of the product. MODLOGSAML-67 Upgrade to pac4j-saml 4.1.0, Cryptacular 1.2.4 (CVE-2020-7226)

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Activity

              People

                cmcnally Craig McNally
                peter Peter Murray
                Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases