Executive Summary
A recently identified vulnerability in the OIDC Authenticator component of Conjur has the potential to enable a user to authenticate successfully without having an ID token.
Affected Software
The OIDC Authenticator component of Conjur Open Source (1.9.0 through 1.12.0 (inclusive)).
Detailed Explanation
When a user sends a manipulated OIDC authentication request, it can lead to a potential bypass. If the following conditions are met, the manipulated request will successfully authenticate:
• OIDC Authenticator is enabled
• The user is permitted to authenticate with the OIDC webservice
Recommendations
CyberArk highly recommends that all users using the OIDC Authenticator in the affected versions:
• Upgrade to version 1.13.0
• Until then, disable the OIDC Authenticator component.
• If you have sufficient logs, determine if you have been compromised by following the steps detailed in the FAQ.
CyberArk also highly recommends that all users using the affected versions of Conjur upgrade to version 1.13.0, in case they use the OIDC Authenticator in the future.
Frequently Asked Questions (FAQ)
- I am using the affected version but did not enable the OIDC Authenticator. Is my organization at risk?
No. This vulnerability only puts at risk those users who enabled the OIDC Authenticator. However, it is recommended that you upgrade to version 1.13.0 in case you use the OIDC Authenticator in the future.
- How can I tell if my organization has been compromised?
The following steps enable you to identify if your organization has been compromised during the period for which you have available logs:
- Run the
docker logs <conjur_dns> | grep "Started POST \"/authn-oidc\|Completed" command,
- Review each entry that contains 'Started POST "/authn-oidc'.
- If there is a user ID before '/authenticate', check the "Completed" message that follows. If the message is "Completed 200", your organization may have been compromised.
- If there is no user ID before '/authenticate', or if the "Completed" message does not contain "Completed 200", your organization has not been compromised by this vulnerability.
- Is there a public exploit for this vulnerability?
No. This vulnerability was discovered internally by CyberArk. CyberArk has not received any information that indicates that this vulnerability has been publicly exploited.
For more information
If you have any questions or comments about this advisory, please email us at [email protected].
Executive Summary
A recently identified vulnerability in the OIDC Authenticator component of Conjur has the potential to enable a user to authenticate successfully without having an ID token.
Affected Software
The OIDC Authenticator component of Conjur Open Source (1.9.0 through 1.12.0 (inclusive)).
Detailed Explanation
When a user sends a manipulated OIDC authentication request, it can lead to a potential bypass. If the following conditions are met, the manipulated request will successfully authenticate:
• OIDC Authenticator is enabled
• The user is permitted to authenticate with the OIDC webservice
Recommendations
CyberArk highly recommends that all users using the OIDC Authenticator in the affected versions:
• Upgrade to version 1.13.0
• Until then, disable the OIDC Authenticator component.
• If you have sufficient logs, determine if you have been compromised by following the steps detailed in the FAQ.
CyberArk also highly recommends that all users using the affected versions of Conjur upgrade to version 1.13.0, in case they use the OIDC Authenticator in the future.
Frequently Asked Questions (FAQ)
No. This vulnerability only puts at risk those users who enabled the OIDC Authenticator. However, it is recommended that you upgrade to version 1.13.0 in case you use the OIDC Authenticator in the future.
The following steps enable you to identify if your organization has been compromised during the period for which you have available logs:
docker logs <conjur_dns> | grep "Started POST \"/authn-oidc\|Completed"command,No. This vulnerability was discovered internally by CyberArk. CyberArk has not received any information that indicates that this vulnerability has been publicly exploited.
For more information
If you have any questions or comments about this advisory, please email us at [email protected].