Security Advisory: Workitem identifier weakness
Date: 18 April 2019
Severity: Medium (CVSS 4.3)
Affected versions: all midPoint versions up to 3.9
Fixed in versions: 3.9.1 (unreleased), 3.8.1 (unreleased), 3.7.3 (unreleased), 3.6.2 (unreleased)
Any approver can display any workitem by guessing its short identifier.
Severity and Impact
This is medium-severity issue. The attacker can get read access to information stored in workitems that should otherwise be inaccessible. Impact of this vulnerability is limited to information leakage (confidentiality). Attacker cannot act on those workitems (integrity is not impacted). Approver role is needed to exploit this vulnerability.
MidPoint users are advised to upgrade their deployments to the latest builds from the support branches.
As this is a medium severity issue, it is not forcing official maintenance releases of midPoint. However, the fix is provided in all the support branches.
Discussion and Explanation
MidPoint 3.9 and earlier relied on Actitivi for all workflow-related processing. Activiti is a general-purpose workflow engine and the design of Activiti is based on a different paradigms that the design of midPoint. Therefore during the course of midPoint development there were often integration difficulties and compromise solutions have to be implemented. This vulnerability may be considered an indirect consequence of such a compromise. Temporary solution that significantly reduces the probability of identifier guessing was implemented for midPoint 3.9 and earlier.
The "conceptual incompatibility" of Activiti and midPoint core was also one of the reason for a decision to remove Activiti component in midPoint 4.0 and later. MidPoint 4.0 is using a completely different mechanism for dealing with workitems which is conceptually compatible with the rest of midPoint and especially with midPoint authorization mechanism.
Variants of this issue were reported by Martin Lizner by the means of EU-Free and Open Source Software Auditing (EU-FOSSA2) project.