Security Advisory: MidPoint user interface clickjacking

MidPoint user interface is vulnerable to clickjacking. The attacker can embed midPoint user interface in a frame. The victim can be tricked into unknowingly initiating actions in the user interface. The issue was caused by a missing X-Frame-Options header.

This is medium-severity issue. There is a significant potential damage that an attacker can cause. The attack can be relatively easy on an uncustomized midPoint instance. However, midPoint user interface is almost always customized and configured to adapt to the specific environment. Therefore the attack is quite complex in practical cases, as it requires intimate knowledge of the deployment. Also, interaction of a privileged user is required.

MidPoint users are advised to upgrade their deployments to the latest builds from the support branches. MidPoint 3.6.x users are advised to upgrade to a newer midPoint version.

As this is a medium severity issue, it is not forcing official maintenance releases of midPoint. However, the fix is provided in all the support branches, except for midPoint 3.6 support branch. MidPoint 3.6 is using a different structural framework than later versions (i.e. it is not based on Spring Boot), therefore the fix cannot be directly backported. MidPoint 3.6 is also very close to the end of support, therefore midPoint 3.6 are strongly advised to upgrade to a newer midPoint versions as soon as possible. Albeit all those circumstances we can still provide fix for midPoint 3.6 in case that any midPoint subscriber asks for the fix.

This bug was reported by Yash Sodha (yashrs) by the means of EU-Free and Open Source Software Auditing (EU-FOSSA2) project.