IBM Support

PI74857:Privilege escalation in full profile OIDC RP (CVE-2017-1151)

Download


Abstract

Privilege escalation in full profile OIDC RP (CVE-2017-1151)

Download Description

THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.



PI74857 resolves the following problem:

ERROR DESCRIPTION:
There is a potential privilege escalation vulnerability in traditional WebSphere Application Server when using the OpenID Connect Trust Association Interceptor.

LOCAL FIX:
Do not include the OpenID connect TAI class name, com.ibm.ws.security.oidc.client.RelyingParty, in the list of classes in the value for the com.ibm.websphere.security.InvokeTAIbeforeSSO base security custom property. This property can be updated from the Administrative Console > Global Security > Custom Properties panel.

PROBLEM SUMMARY:
There is a potential privilege escalation vulnerability in traditional WebSphere Application Server when using the OpenID Connect Trust Association Interceptor.

PROBLEM CONCLUSION:
The vulnerability is remediated.


NEW CUSTOM PROPERTIES:
New global OIDC TAI custom properties are added to the OIDC TAI in this fix (this is a combination of properties added for PI74857 and PI73381):

property name
values
description
clusterCachingdefault=trueSet this property to false if you want each cluster member to maintain their own session cache. If dynacache is enabled on the application server, it will always be used for cache management, but if this property is set to false, session data will not be shared among cluster members. When DynaCache is enabled on the server, the OIDC TAI allows DynaCache to default the maximum number of entries in the cache. When cluster caching is turned on, the number of cache entries is shared among all cluster members. When cluster caching is turned off, each cluster member can store up to the DynaCache default maximum number of entries.
stateIdTimeoutSecondsdefault=600
minimum=60		The time, in seconds, that a login request to the OP is allowed to remain outstanding.
maxStateCacheSizedefault=10000
minimum=25
alternate value=0 (off)		Maximum number of state objects that can be in the local state cache. Setting the value to 0 (zero) turns off the local state cache.
useStateCookiesdefault=trueBy default, the run time uses both local storage and browser cookies to store request data when a request is redirected to the OP. When this property is false, the OIDC TAI will not use browser cookies; only local storage will be used.
maxCookieSizedefault=4093
minimum=500
maximum=4093		Maximum cookie size that the run time will create. At runtime, if the data to be written is larger than the value for this property, the request will be rejected. This property applies to, and can be overridden by both maxStateCookieSize and provider.<id>.postParameterCookieSize.
maxStateCookieSizedefault=4093
minimum=500
maximum=4093		Maximum state cookie size that the run time will create. At runtime, if the data to be written is larger than the value for this property, the request will be rejected. This property will override the value set for maxCookieSize for state cookies.
useUniqueStateCookiesdefault=falseWhen this property is set to true, instead of using a single OIDCSTATE cookie for all requests, each request uses a new OIDCSTATE cookie.


The fix for this APAR is currently targeted for inclusion in fix pack 8.0.0.14, 8.5.5.12 and 9.0.0.4. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Keywords: IBMWL3WSS, OIDC


THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX
This fix has been superseded by a fix for another APAR. For information on how to obtain the latest OpenID Connect runtime that includes this APAR, see the technote Obtaining WebSphere OpenID Connect (OIDC) latest version.


Prerequisites

PI57465

Installation Instructions

Please review the readme.txt for detailed installation instructions.

On

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF013","label":"Inspur K-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"9.0.0.3;9.0.0.2;9.0.0.1;9.0.0.0;8.5.5.9;8.5.5.8;8.5.5.7;8.5.5.6;8.5.5.5;8.5.5.4;8.5.5.3;8.5.5.11;8.5.5.10;8.0.0.13;8.0.0.12;8.0.0.11;8.0.0.10","Edition":"Base;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24043444

Page Feedback