Stages Documentation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
general:secadv-2019-01 [2019/10/10 15:30] emrgeneral:secadv-2019-01 [2021/12/16 12:55] emr
Line 1: Line 1:
 ====== Security Advisory 2019-01 ====== ====== Security Advisory 2019-01 ======
  
-<font 11pt/Calibri,sans-serif;;inherit;;inherit>**__Summary:__** Possible user impersonation in Stages when SAML authentication is enabled</font>+===== Summary =====
  
-<font 11pt/Calibri,sans-serif;;inherit;;yellow>**__Release Date:__** XX</font>-10-2019+Possible user impersonation in Stages when SAML authentication is enabled
  
-[[https://nvd.nist.gov/vuln-metrics/cvss|**__Severity:__** Medium (according to NVD definition]]; [[https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator|CVSS]] score: 4.6)+===== Release Date =====
  
-<font 11pt/Calibri,sans-serif;;inherit;;inherit>**__Affected Versions:__**</font>+2019-10-11
  
-  * <font 11pt/Calibri,sans-serif;;inherit;;inherit>7.3.0.0 to 7.3.5.0</font> +===== Severity =====
-  * <font 11pt/Calibri,sans-serif;;inherit;;inherit>7.2.0.0 to 7.2.1.3</font> +
-  * <font 11pt/Calibri,sans-serif;;inherit;;inherit>6.7.4.2 to 6.7.8.0</font>+
  
-<font 11pt/Calibri,sans-serif;;inherit;;inherit>Previous minor and major versions, e.g7.1.x.y, 7.0.x.y, 6.6.x.y, 6.5.x.y, or 5.x.y.z are not affected.</font>+**Medium ** (according to [[https://nvd.nist.gov/vuln-metrics/cvss|NVD]] definition[[https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator|CVSS]] score: 4.6)
  
-<font 11pt/Calibri,sans-serif;;inherit;;inherit>Only installations that have enabled SAML authentication are vulnerable.</font>+===== Affected Versions =====
  
-<font 11pt/Calibri,sans-serif;;inherit;;inherit>To find out which Stages version you are running, log in as “root” and click on the “Info” icon (6.x) or “Administration” menu (7.x).</font>+  * 7.3.0.0 to 7.3.5.0 
 +  * 7.2.0.0 to 7.2.1.3 
 +  * 6.7.4.2 to 6.7.8.0
  
-<font 11pt/Calibri,sans-serif;;inherit;;inherit>**__Description:__**</font>+Previous minor and major versionse.g. 7.1.x.y, 7.0.x.y, 6.6.x.y, 6.5.x.y, or 5.x.y.z are not affected.
  
-<font 11pt/Calibri,sans-serif;;inherit;;inherit>During internal testing, we discovered a security vulnerability in the Stages login procedure that can result in users being able to impersonate another Stages user. Any Stages system accounts, e.g. “root” and “default” are not affected. Direct access to server resources cannot be gained. The vulnerability can only be exploited when SAML authentication is enabled on the server. If SAML authentication is not enabled, the system is not vulnerable.</font>+Only installations that have enabled SAML authentication are vulnerable.
  
-<font 11pt/Calibri,sans-serif;;inherit;;inherit>All vulnerable Stages Cloud instances have already been upgraded to versions that do not have the issue.</font>+To find out which Stages version you are running, log in as “root” and click on the “Info” icon (6.x) or “Administration” menu (7.x).
  
-<font 11pt/Calibri,sans-serif;;inherit;;inherit>As the vulnerability is only known within Method Park, active exploitation is very improbable. None of the systems analyzed by Method Park including all Stages Cloud instances showed any evidence of unauthorized usage. Please contact us for further information how to analyze if your system has been impacted.</font>+===== Description =====
  
-[[security-alerts@methodpark.com|If you see indications of unauthorized usageplease contact security-alerts@methodpark.com]] immediately.+During internal testing, we discovered a security vulnerability in the Stages login procedure that can result in users being able to impersonate another Stages userAny Stages system accountse.g. “root” and “default” are not affected. Direct access to server resources cannot be gained. The vulnerability can only be exploited when SAML authentication is enabled on the server. If SAML authentication is not enabled, the system is not vulnerable.
  
-<font 11pt/Calibri,sans-serif;;inherit;;inherit>**__Fix:__**</font>+As the vulnerability is only known within Method Parkactive exploitation is very improbable. None of the systems analyzed by Method Park including all Stages Cloud instances showed any evidence of unauthorized usage. Please contact us for further information how to analyze if your system has been impacted.
  
-<font 11pt/Calibri,sans-serif;;inherit;;inherit>Upgrade your system to one of the following Stages versions:</font>+If you see indications of unauthorized usageplease contact [[security-alerts@methodpark.com|]] immediately.
  
-  * <font 11pt/Calibri,sans-serif;;inherit;;inherit>7.3.5.1</font>     * [[https://www.methodpark.de/downloads/stages/stages-7.3.5.1-x64.exe|https://www.methodpark.de/downloads/stages/stages-7.3.5.1-x64.exe]] +===== Resolution =====
-         * [[https://www.methodpark.de/downloads/stages/stages-7.3.5.1-1.x86_64.rpm|https://www.methodpark.de/downloads/stages/stages-7.3.5.1-1.x86_64.rpm]] +
-         * [[https://www.methodpark.de/downloads/stages/changes-7.3.5.1.html|https://www.methodpark.de/downloads/stages/changes-7.3.5.1.html]] +
-     * <font 11pt/Calibri,sans-serif;;inherit;;inherit>7.2.1.4</font>     * [[https://www.methodpark.de/downloads/stages/stages-7.2.1.4-x64.exe|https://www.methodpark.de/downloads/stages/stages-7.2.1.4-x64.exe]] +
-         * [[https://www.methodpark.de/downloads/stages/stages-7.2.1.4-1.x86_64.rpm|https://www.methodpark.de/downloads/stages/stages-7.2.1.4-1.x86_64.rpm]] +
-         * [[https://www.methodpark.de/downloads/stages/changes-7.2.1.4.html|https://www.methodpark.de/downloads/stages/changes-7.2.1.4.htm]] +
-     * <font 11pt/Calibri,sans-serif;;inherit;;inherit>6.7.8.1</font>     * [[https://www.methodpark.de/downloads/stages/stages-6.7.8.1.exe|https://www.methodpark.de/downloads/stages/stages-6.7.8.1.exe]] +
-         * [[https://www.methodpark.de/downloads/stages/stages-6.7.8.1-x64.exe|https://www.methodpark.de/downloads/stages/stages-6.7.8.1-x64.exe]] +
-         * [[https://www.methodpark.de/downloads/stages/stages-6.7.8.1.tar.gz|https://www.methodpark.de/downloads/stages/stages-6.7.8.1.tar.gz]] +
-         * [[https://www.methodpark.de/downloads/stages/stages-6.7.8.1-1.noarch.rpm|https://www.methodpark.de/downloads/stages/stages-6.7.8.1-1.noarch.rpm]] +
-         * [[https://www.methodpark.de/downloads/stages/changes-6.7.8.1.html|https://www.methodpark.de/downloads/stages/changes-6.7.8.1.html]]+
  
-[[stages-support@methodpark.com|Please contact the Stages customer care team via stages-support@methodpark.com]] in case you need further support or if you are not able to upgrade your system at this time.+All vulnerable Stages Cloud instances have already been upgraded to versions that do not have the issue. 
 + 
 +If you are using Stages on premise, please upgrade your system to one of the following Stages versions: 
 + 
 +  * 7.3.5.1 
 +      * [[https://www.methodpark.de/downloads/stages/stages-7.3.5.1-x64.exe|https://www.methodpark.de/downloads/stages/stages-7.3.5.1-x64.exe]] 
 +      * [[https://www.methodpark.de/downloads/stages/stages-7.3.5.1-1.x86_64.rpm|https://www.methodpark.de/downloads/stages/stages-7.3.5.1-1.x86_64.rpm]] 
 +      * [[https://www.methodpark.de/downloads/stages/changes-7.3.5.1.html|https://www.methodpark.de/downloads/stages/changes-7.3.5.1.html]] 
 +  * 7.2.1.4 
 +      * [[https://www.methodpark.de/downloads/stages/stages-7.2.1.4-x64.exe|https://www.methodpark.de/downloads/stages/stages-7.2.1.4-x64.exe]] 
 +      * [[https://www.methodpark.de/downloads/stages/stages-7.2.1.4-1.x86_64.rpm|https://www.methodpark.de/downloads/stages/stages-7.2.1.4-1.x86_64.rpm]] 
 +      * [[https://www.methodpark.de/downloads/stages/changes-7.2.1.4.html|https://www.methodpark.de/downloads/stages/changes-7.2.1.4.html]] 
 +  * 6.7.8.1 
 +      * [[https://www.methodpark.de/downloads/stages/stages-6.7.8.1.exe|https://www.methodpark.de/downloads/stages/stages-6.7.8.1.exe]] 
 +      * [[https://www.methodpark.de/downloads/stages/stages-6.7.8.1-x64.exe|https://www.methodpark.de/downloads/stages/stages-6.7.8.1-x64.exe]] 
 +      * [[https://www.methodpark.de/downloads/stages/stages-6.7.8.1.tar.gz|https://www.methodpark.de/downloads/stages/stages-6.7.8.1.tar.gz]] 
 +      * [[https://www.methodpark.de/downloads/stages/stages-6.7.8.1-1.noarch.rpm|https://www.methodpark.de/downloads/stages/stages-6.7.8.1-1.noarch.rpm]] 
 +      * [[https://www.methodpark.de/downloads/stages/changes-6.7.8.1.html|https://www.methodpark.de/downloads/stages/changes-6.7.8.1.html]] 
 + 
 +Please contact the Stages customer care team via [[stages-support@methodpark.com|]] in case you need further support or if you are not able to upgrade your system at this time.