Security Advisory: Plain text password in task objects in repository
Date: 23 May 2019
Severity: Low (CVSS 0.1-3.9)
Affected versions: all released midPoint versions
Fixed in versions: 4.0 (unreleased), 3.9.1 (unreleased), 3.8.1 (unreleased), 3.7.3 (unreleased), 3.6.2 (unreleased)
Plaintext passwords are sometimes stored in task objects in the repository (database).
Severity and Impact
Tasks dealing with password manipulation (e.g. when doing bulk or asynchronous password reset) may contain plaintext password values. So a user that is able to retrieve these tasks from the repository can see them.
Most midPoint deployment are not affected by this issue at all. By default, there are no tasks that manipulate passwords, unless created explicitly by the midPoint administrator. Also, default midPoint configuration does not allow access to arbitrary task objects by anyone else than system administrator.
MidPoint users are advised to upgrade their deployments to the latest builds from the support branches.
As this is a low severity issue, it is not forcing official maintenance releases of midPoint. However, the fix is provided in all the support branches.
Discussion and Explanation
MidPoint can execute custom tasks on background. Typical ones are bulk actions (midPoint scripting) tasks and tasks that asynchronously execute specified object changes. Actions or changes to be executed are stored directly in these tasks. Although midPoint encrypts all the data that is to be stored into repository, it did not do that consistently and some data namely, data related to object changes passed through this encryption routine unnoticed.
The midPoint code was fixed to be able to recognize password data in more depth than before. However, there are some conditions that must be fulfilled here: basically, values to be protected must be marked as such. Please see this wiki page for more information.
This issue was reported by Martin Lzner and Arnošt Starosta by the means of EU-Free and Open Source Software Auditing (EU-FOSSA2) project.