Merge branch 'master' of https://github.com/Evolveum/docs

Evolveum · Jun 16, 2023 · 916c93b · 916c93b
2 parents b135d36 + 8073646
commit 916c93b
Show file tree

Hide file tree

Showing 7 changed files with 116 additions and 6 deletions.
diff --git a/docs/admin-gui/collections-views/configuration/index.adoc b/docs/admin-gui/collections-views/configuration/index.adoc
@@ -400,13 +400,14 @@ The example of search panel configuration for Users list page:
                 <displayName>Email address filter</displayName>
             </searchItem>
             <searchItem>
-                <path xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:telephoneNumber</c:path>
+                <path>telephoneNumber</path>
                 <description>Search item for search by telephone number</description>
                 <displayName>Tel. number</displayName>
             </searchItem>
         </searchItems>
     </searchBoxConfiguration>
     <type>c:UserType</type>
+    <identifier>allUsers</identifier>
 </objectCollectionView>
 ----
 

diff --git a/docs/diag/troubleshooting/authorizations.adoc b/docs/diag/troubleshooting/authorizations.adoc
@@ -105,6 +105,7 @@ In such a case the operation must be allowed.
 But the retrieved object needs to be post-processed to remove the fields that are not accessible to the user.
 This is done in two steps.
 
+// TODO this was changed in 4.8 - describe
 Firstly the set of _object security constraints_ is compiled from the authorizations.
 The _object security constraints_ is a data structure that describes which properties of an object are accessible to the user.
 There is a map (`itemConstraintMap`) with an entry for every item (property) which is explicitly mentioned in the authorizations.

diff --git a/docs/security/advisories/015-disabled-users-able-to-log-in-with-ldap.adoc b/docs/security/advisories/015-disabled-users-able-to-log-in-with-ldap.adoc
@@ -0,0 +1,28 @@
+= Security Advisory: Disabled Users able to log-in when LDAP authentication is enabled
+:page-display-order: 15
+:page-upkeep-status: green
+
+*Date:* 5 June 2023
+
+*Severity:* Medium (CVSS 5.7)
+
+*Affected versions:* all released midPoint versions
+
+*Fixed in versions:* 4.7.1, 4.4.5, 4.6.1
+
+
+== Description
+
+User which is disabled in midPoint, but still active in LDAP, is able to log-in to midPoint GUI if LDAP authentication was enabled and configured.
+
+== Severity and Impact
+
+This is medium-severity issue.
+
+The users perceived to not have access to the system, are still able to log in.
+
+== Mitigation
+
+* Disable LDAP authentication on affected midPoint versions
+* Automatically deactivate users in LDAP when they are disabled in midPoint.
+* Update midPoint to latest maintenance versions, which contains fix (4.7.1, 4.4.5, 4.6.1).
diff --git a/docs/security/advisories/016-unauth-user-is-able-to-reset-password.adoc b/docs/security/advisories/016-unauth-user-is-able-to-reset-password.adoc
@@ -0,0 +1,28 @@
+= Security Advisory: Unauthorized user is able to reset password if focusIdentification is enabled
+:page-display-order: 16
+:page-upkeep-status: green
+
+*Date:* 5 June 2023
+
+*Severity:* High (CVSS 8.0)
+
+*Affected versions:* 4.7
+
+*Fixed in versions:* 4.7.1
+
+
+== Description
+
+Attacker is able to change user password using password reset form, if `focusIdentification` is enabled and attacker manipulates URL to skip follow-up configured password reset authorization steps.
+
+== Severity and Impact
+
+This is high-severity issue.
+
+The affected feature is not enabled by default.
+The attacker can change password of existing user if `focusIdentification` authorization module was enabled (it is disabled by default).
+
+== Mitigation
+
+* Disabling `focusIdentification` for password reset functionality, or:
+* Upgrading to latest maintenance release 4.7.1
diff --git a/docs/security/advisories/017-self-registration-allows-to-change-password.adoc b/docs/security/advisories/017-self-registration-allows-to-change-password.adoc
@@ -0,0 +1,33 @@
+= Security Advisory: Self Registration feature allows to change password of other users
+:page-display-order: 17
+:page-upkeep-status: green
+
+*Date:* 5 June 2023
+
+*Severity:* High (CVSS 8.0)
+
+*Affected versions:* all midPoint versions
+
+*Fixed in versions:* 4.4.5, 4.6.1, 4.7.1
+
+
+== Description
+
+If self registration / post registration feature is enabled (feature is disabled by default),
+unauthorized attacker which knows OID of user is able to change password and or disable that user account exploiting vulnerability in post registration (invitation) form.
+
+== Severity and Impact
+
+This is high-severity issue.
+
+The affected feature is not enabled by default. MidPoint deployment is only affected if self registration feature is explicitly configured.
+
+If the self registration is enabled, the attacker can change password of existing user, and depending on configuration of self registration it can  effectively disable account of other user or gain access to that account.
+
+== Mitigation
+
+* Disable self-registration feature in affected versions if it was enabled.
+* Update to latest maintenance midPoint release which contains fix.
+* Reconfigure post registration and post registration link generation to use invitation authentication sequence.
+** See updated xref:/midpoint/reference/misc/self-registration[Self Registration documentation] for midPoint 4.6.1 and 4.7.1.
+** See xref:/midpoint/reference/misc/self-registration/configuration-before-4-6/[Self Registration configuration before 4.6] for midPoint 4.4.5.
diff --git a/docs/security/advisories/index.adoc b/docs/security/advisories/index.adoc
@@ -109,4 +109,26 @@
 | Apache JServ Protocol (AJP) of Apache Tomcat may be vulnerable to several types of attack.
 
 
-|===
+| 15
+| xref:/midpoint/reference/security/advisories/015-disabled-users-able-to-log-in-with-ldap/[Disabled Users able to log-in when LDAP authentication is enabled]
+| 5 June 2023
+| Medium
+| MidPoint allows log-in for disabled users if LDAP authorization is used.
+
+
+| 16
+| xref:/midpoint/reference/security/advisories/016-unauth-user-is-able-to-reset-password/[Unauthorized user is able to reset password if focusIdentification is enabled]
+| 5 June 2023
+| High
+| MidPoint 4.7 may be vulnerable to password reset attack if new password reset `focusIdentification` is configured.
+
+
+| 17
+| xref:/midpoint/reference/security/advisories/017-self-registration-allows-to-change-password/[Self Registration feature allows to change password of other users]
+| 5 June 2023
+| High
+| MidPoint may be vulnerable to password change attack if self registration or post registration is configured.
+
+
+
+|===
diff --git a/release-notes.adoc b/release-notes.adoc
@@ -77,7 +77,7 @@ Please see _Upgrade_ section below for details.
 
 == Changes With Respect To Version 4.4 LTS
 
-* TODO
+* Generic Repository with PostgreSQL is not supported, if you are using PostgreSQL with generic repository, please migrate to xref:/midpoint/reference/repository/native-postgresql/[PostgreSQL native repository]. 
 
 
 ++++
@@ -207,10 +207,7 @@ H2 is intended only for development, demo and similar use cases.
 It is *not* supported for any production use.
 Also, upgrade of deployments based on H2 database are not supported.
 
-* PostgreSQL 15, 14, 13, 12, and 11
-
 * Oracle 21c
-
 * Microsoft SQL Server 2019
 
 Support for xref:/midpoint/reference/repository/generic/[generic repository implementation] together with all the database engines supported by this implementation is *deprecated*.