Information leakage with NAM Identity Server and SAML2 Service Provider while using Virtual Attributes (CVE-2017-5190)

  • 7018792
  • 11-Apr-2017
  • 13-Apr-2017

Environment

NetIQ Access Manager 4.3
NetIQ Access Manager 4.2
Virtual Attributes enabled on Identity Server
NAM Acting as a SAML 2.0 Identity Server
CVE-2017-5190

Situation

Access Manager used as a SAML Identity Server to generate assertions to remote SAML 2.0 Service Providers. Within this assertion, the NameIdentifier value is being populated with a Virtual Attribute.

At an indeterminate frequency a user accessing the application on the SAML SP is redirected to the NAM Identity server to login. After logging in to the NAM Identity server, the user SSOs to the SP but gets a stale profile.

This issue only manifests itself when using virtual attributes.

Resolution

Apply NAM 4.2 SP3 Hot Fix 1 patch for NAM 4.2 builds, and NAM 4.3 SP1 Hot Fix 1 patch for NAM 4.3 builds.

As a workaround, you can write virtual attribute value to LDAP user store and retrieve this attribute to inject into the assertion.

Cause

Virtual attribute concurrency issue.