Stages Documentation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
general:secadv-2019-01 [2024/02/15 00:00] – external edit 127.0.0.1general:secadv-2019-01 [2024/10/07 20:30] (current) – MP -> SIS Meier, Erich
Line 29: Line 29:
 During internal testing, we discovered a security vulnerability in the Stages login procedure that can result in users being able to impersonate another Stages user. Any Stages system accounts, e.g. “root” and “default” are not affected. Direct access to server resources cannot be gained. The vulnerability can only be exploited when SAML authentication is enabled on the server. If SAML authentication is not enabled, the system is not vulnerable. During internal testing, we discovered a security vulnerability in the Stages login procedure that can result in users being able to impersonate another Stages user. Any Stages system accounts, e.g. “root” and “default” are not affected. Direct access to server resources cannot be gained. The vulnerability can only be exploited when SAML authentication is enabled on the server. If SAML authentication is not enabled, the system is not vulnerable.
  
-As the vulnerability is only known within Method Park, active exploitation is very improbable. None of the systems analyzed by Method Park including all Stages Cloud instances showed any evidence of unauthorized usage. Please contact us for further information how to analyze if your system has been impacted.+As the vulnerability is only known within UL Solutions Software Intensive Systems (SIS), active exploitation is very improbable. None of the systems analyzed by SIS including all Stages Cloud instances showed any evidence of unauthorized usage. Please contact us for further information how to analyze if your system has been impacted.
  
-If you see indications of unauthorized usage, please contact [[security-alerts@methodpark.com|]] immediately.+If you see indications of unauthorized usage, please contact [[security-alerts@ul.com]] immediately.
  
 ===== Resolution ===== ===== Resolution =====
Line 40: Line 40:
  
   * 7.3.5.1   * 7.3.5.1
-      * [[https://www.methodpark.de/downloads/stages/stages-7.3.5.1-x64.exe|https://www.methodpark.de/downloads/stages/stages-7.3.5.1-x64.exe]] +    * [[https://www.methodpark.de/downloads/stages/stages-7.3.5.1-x64.exe|https://www.methodpark.de/downloads/stages/stages-7.3.5.1-x64.exe]] 
-      * [[https://www.methodpark.de/downloads/stages/stages-7.3.5.1-1.x86_64.rpm|https://www.methodpark.de/downloads/stages/stages-7.3.5.1-1.x86_64.rpm]] +    * [[https://www.methodpark.de/downloads/stages/stages-7.3.5.1-1.x86_64.rpm|https://www.methodpark.de/downloads/stages/stages-7.3.5.1-1.x86_64.rpm]] 
-      * [[https://www.methodpark.de/downloads/stages/changes-7.3.5.1.html|https://www.methodpark.de/downloads/stages/changes-7.3.5.1.html]]+    * [[https://www.methodpark.de/downloads/stages/changes-7.3.5.1.html|https://www.methodpark.de/downloads/stages/changes-7.3.5.1.html]]
   * 7.2.1.4   * 7.2.1.4
-      * [[https://www.methodpark.de/downloads/stages/stages-7.2.1.4-x64.exe|https://www.methodpark.de/downloads/stages/stages-7.2.1.4-x64.exe]] +    * [[https://www.methodpark.de/downloads/stages/stages-7.2.1.4-x64.exe|https://www.methodpark.de/downloads/stages/stages-7.2.1.4-x64.exe]] 
-      * [[https://www.methodpark.de/downloads/stages/stages-7.2.1.4-1.x86_64.rpm|https://www.methodpark.de/downloads/stages/stages-7.2.1.4-1.x86_64.rpm]] +    * [[https://www.methodpark.de/downloads/stages/stages-7.2.1.4-1.x86_64.rpm|https://www.methodpark.de/downloads/stages/stages-7.2.1.4-1.x86_64.rpm]] 
-      * [[https://www.methodpark.de/downloads/stages/changes-7.2.1.4.html|https://www.methodpark.de/downloads/stages/changes-7.2.1.4.html]]+    * [[https://www.methodpark.de/downloads/stages/changes-7.2.1.4.html|https://www.methodpark.de/downloads/stages/changes-7.2.1.4.html]]
   * 6.7.8.1   * 6.7.8.1
-      * [[https://www.methodpark.de/downloads/stages/stages-6.7.8.1.exe|https://www.methodpark.de/downloads/stages/stages-6.7.8.1.exe]] +    * [[https://www.methodpark.de/downloads/stages/stages-6.7.8.1.exe|https://www.methodpark.de/downloads/stages/stages-6.7.8.1.exe]] 
-      * [[https://www.methodpark.de/downloads/stages/stages-6.7.8.1-x64.exe|https://www.methodpark.de/downloads/stages/stages-6.7.8.1-x64.exe]] +    * [[https://www.methodpark.de/downloads/stages/stages-6.7.8.1-x64.exe|https://www.methodpark.de/downloads/stages/stages-6.7.8.1-x64.exe]] 
-      * [[https://www.methodpark.de/downloads/stages/stages-6.7.8.1.tar.gz|https://www.methodpark.de/downloads/stages/stages-6.7.8.1.tar.gz]] +    * [[https://www.methodpark.de/downloads/stages/stages-6.7.8.1.tar.gz|https://www.methodpark.de/downloads/stages/stages-6.7.8.1.tar.gz]] 
-      * [[https://www.methodpark.de/downloads/stages/stages-6.7.8.1-1.noarch.rpm|https://www.methodpark.de/downloads/stages/stages-6.7.8.1-1.noarch.rpm]] +    * [[https://www.methodpark.de/downloads/stages/stages-6.7.8.1-1.noarch.rpm|https://www.methodpark.de/downloads/stages/stages-6.7.8.1-1.noarch.rpm]] 
-      * [[https://www.methodpark.de/downloads/stages/changes-6.7.8.1.html|https://www.methodpark.de/downloads/stages/changes-6.7.8.1.html]]+    * [[https://www.methodpark.de/downloads/stages/changes-6.7.8.1.html|https://www.methodpark.de/downloads/stages/changes-6.7.8.1.html]]
  
-Please contact the Stages customer care team via [[stages-support@methodpark.com|]] in case you need further support or if you are not able to upgrade your system at this time.+Please contact the Stages customer care team via [[stages-support@methodpark.com]] in case you need further support or if you are not able to upgrade your system at this time.