Login Vulnerability Patch

Read-only forum. Used to announce new releases of EASYProcess.

Locked
JustinVanRegenmorter
Posts: 584
Joined: August 26th, 2021, 9:56 am
Contact:

Login Vulnerability Patch

Unread post by JustinVanRegenmorter »

A vulnerability with SAML users has been patched as of DesignTime Revision 2252 and RunTime Revision 951.

This vulnerability patch will be applied on Monday May 2nd to the DV and QA environments on the Platform installations and on Wednesday may 4th to the PD environment on the Platform installations. Refer to the weekly revision post for exact times for the installation your tenant is on.

To apply the patch first determine if the following objects have been modified in your applications.

In the Security Application, the Login Application Process (Login.xml) has been modified.
In Classic Applications, the GetKey POST API (GetKey_POST.xml) and the Login Webpage (UI-10000112.xml) have been modified.
In MVC Applications, the GetKey POST API (GetKey_POST.xml) and the EPLogin Method (METHOD-11000001.xml) have been modified.


If an object in your application has not been modified you can check it out and override it with the respective file using the "Import From XML" button in the Developer Workbench. The files to import are attached below in a zip file called Patch-952.zip. This file contains 3 folders. One for the Security app, one for Classic Applications, and one for MVC Applications.

If an object in your application has been modified please add the following change to the respective objects after checking it out.

For the Security Application Login Application Process:
  • In PreValues service add an Eval with the Name= IdentityProvider and Expression with the following code:

    Code: Select all

    <xsl:choose>
    	<xsl:when test="WorkData/_Parameters/IdentityProvider!=''">
    		<xsl:value-of select="WorkData/_Parameters/IdentityProvider"/>
    	</xsl:when>
    	<xsl:when test="WorkData/Header/IdentityProvider!=''">
    		<xsl:value-of select="WorkData/Header/IdentityProvider"/>
    	</xsl:when>
    	<xsl:otherwise></xsl:otherwise>
    </xsl:choose>
    
PreValues Service.PNG
  • After the User Exists? service copy and paste the following code. It will add 4 new services IPPassedIn, IPMatch, Output, and Terminate. Take the Yes connection from the User Exists? service and attach it to the IPPassedIn service. The No of the IPPassedIn service should then be connected to the ValidateUserId service. The Yes of the IPMatch service should also be connected to the

    Code: Select all

    {"Entity":{"ParentIdName":"","RelationType":"","EntityId":"PCN-10000989","EntityIds":"PCN-10000989,Login,,","UniqueId":"PCN-10000989,Login,,#Entity#ProcessCanvasObject","EntityName":"IPPassedIn","TableName":"ProcessCanvasObjects","LanguageTableName":"","EntityType":"ProcessCanvasObject","DescriptionPropertyName":"ObjectName","CreatedByPropertyName":"","CreatedOnPropertyName":"","UpdatedByPropertyName":"","UpdatedOnPropertyName":"","IdPropertyName":"CanvasObjectId","Type":"ProcessCanvasObject","Id":"PCN-10000989,Login,,","Properties":{"AllowExit":"","Built":"","CanvasObjectId":"PCN-10000989","CatchException":"","ConfigurationInstance":"","CustomColor":"0","DataKey":"","DataSize":"0","Document":"","ECCTimeout":"0","ExceptionConnector":"","ExceptionConnectorName":"E","ExecuteRemotely":"","ExecuteThroughECC":"","ExitTemplate":"","FromRecord":"","Height":"60","IsMultiThreaded":"","KeepEntireOutput":"","KeepExistingOutput":"No","LoadOutputInText":"","MarkItSkip":"","MaxNumberOfThreads":"","ObjectDescription":"IPPassedIn","ObjectIndex":"0","ObjectName":"IPPassedIn","ObjectType":"","OutputToTempWorkData":"","OverrideExistingOutput":"","ParentId1":"Login","ParentId2":"","ParentId3":"","Processed":"","RemoteEnterpriseServer":"","RemoteEnterpriseServerPort":"","RemoteEnterpriseServerTimeout":"","RemoteExecution":"","RemoteExecutionAddress":"","RemovePreviousOutput":"","ResetLoop":"","RESTIsArray":"","RESTOutput":"","RESTOutputName":"","SaveInLoop":"","SaveResultToDatabase":"","SelectOutput":"","ServiceName":"BinaryDecision","ServiceXml":"<ServiceXml><Service Id=\"IPPassedIn\" Name=\"BinaryDecision\" Workshop=\"ProcessFlowWorkshop\" OverrideExistingOutput= \"False\" KeepExistingOutput= \"False\" KeepEntireOutput=\"\" RemovePreviousOutput=\"FalseTrue\" DataKey = \"\"><BinaryDecision><Tests><Test IsArray=\"True\" Index=\"1\"><AndOr></AndOr><LeftClause>WorkData/PreValues/Output/Result/IdentityProvider</LeftClause><Operator>!=</Operator><Type>String</Type><RightClause>*BLANKS</RightClause></Test></Tests></BinaryDecision></Service></ServiceXml>","SOAPOutput":"","SOAPOutputName":"","Status":"","TabName":"","TempWorkDataName":"","TopLevelElements":"","ToRecord":"","Width":"160","WorkshopName":"ProcessFlowWorkshop","XPos":"200","XsltSelector":"","XsltSelectorMode":"","XsltSelectorNode":"","YesOnRight":"true","YPos":"830"},"RecordIdProperties":{"CanvasObjectId":"PCN-10000989","ParentId1":"Login","ParentId2":"","ParentId3":""},"EntityDetails":{"Entity":{"ParentIdName":"CanvasObjectId,ParentId1,ParentId2,ParentId3","RelationType":"","EntityId":"PSEN-10007483","EntityIds":"PSEN-10007483,Login,,,PCN-10000989","UniqueId":"PSEN-10007483,Login,,,PCN-10000989#Entity#ProcessServiceElementNode","EntityName":"BinaryDecision","TableName":"ProcessServiceElementNodes","LanguageTableName":"","EntityType":"ProcessServiceElementNode","DescriptionPropertyName":"ChildElement","CreatedByPropertyName":"","CreatedOnPropertyName":"","UpdatedByPropertyName":"","UpdatedOnPropertyName":"","IdPropertyName":"ElementNodeId","Type":"ProcessServiceElementNode","Id":"PSEN-10007483,Login,,,PCN-10000989","Properties":{"CanvasObjectId":"PCN-10000989","ChildElement":"BinaryDecision","Data":"","DesignData":"","DesignMode":"","Document":"","ElementNodeId":"PSEN-10007483","ErrorMessage":"","ForEachNode":"","Index":"0","MultipleIndex":"","ParentElement":"","ParentElementNode":"","ParentId1":"Login","ParentId2":"","ParentId3":"","ServiceElement":"BinaryDecision","ServiceName":"BinaryDecision","Status":"","ValidXml":"","WorkshopName":"ProcessFlowWorkshop","XsltSelector":"","XsltSelectorMode":"","XsltSelectorNode":""},"RecordIdProperties":{"ElementNodeId":"PSEN-10007483","ParentId1":"Login","ParentId2":"","ParentId3":"","CanvasObjectId":"PCN-10000989"},"EntityDetails":{"Entity":{"ParentIdName":"CanvasObjectId,ParentId1,ParentId2,ParentId3","RelationType":"","EntityId":"PSEN-10007484","EntityIds":"PSEN-10007484,Login,,,PCN-10000989","UniqueId":"PSEN-10007484,Login,,,PCN-10000989#Entity#ProcessServiceElementNode","EntityName":"Tests","TableName":"ProcessServiceElementNodes","LanguageTableName":"","EntityType":"ProcessServiceElementNode","DescriptionPropertyName":"ChildElement","CreatedByPropertyName":"","CreatedOnPropertyName":"","UpdatedByPropertyName":"","UpdatedOnPropertyName":"","IdPropertyName":"ElementNodeId","Type":"ProcessServiceElementNode","Id":"PSEN-10007484,Login,,,PCN-10000989","Properties":{"CanvasObjectId":"PCN-10000989","ChildElement":"Tests","Data":"","DesignData":"<Array Path=\"Test\"><Mode>Static</Mode><DynamicType/><LoopNode/><Raw>&lt;Test&gt;\n\t&lt;AndOr&gt;&lt;/AndOr&gt;\n\t&lt;LeftClause&gt;&lt;/LeftClause&gt;\n\t&lt;Operator&gt;\n\t\t=&lt;/Operator&gt;\n\t\t\t&lt;Type&gt;String&lt;/Type&gt;\n\t\t\t&lt;RightClause&gt;&lt;/RightClause&gt;\n\t\t&lt;/Test&gt;\n\t\t</Raw><Values><Value Index=\"1\"><Nodes><Node><Path>Test/AndOr</Path><Value/></Node><Node><Path>Test/LeftClause</Path><Value>WorkData/PreValues/Output/Result/IdentityProvider</Value></Node><Node><Path>Test/Operator</Path><Value>!=</Value></Node><Node><Path>Test/Type</Path><Value>String</Value></Node><Node><Path>Test/RightClause</Path><Value>*BLANKS</Value></Node></Nodes></Value></Values><Nodes><Node><Path>Test/Operator</Path><Value>=</Value></Node><Node><Path>Test/Type</Path><Value>String</Value></Node></Nodes></Array>","DesignMode":"Tree","Document":"","ElementNodeId":"PSEN-10007484","ErrorMessage":"","ForEachNode":"","Index":"0","MultipleIndex":"0","ParentElement":"BinaryDecision","ParentElementNode":"PSEN-10007483","ParentId1":"Login","ParentId2":"","ParentId3":"","ServiceElement":"Tests","ServiceName":"BinaryDecision","Status":"","ValidXml":"True","WorkshopName":"ProcessFlowWorkshop","XsltSelector":"","XsltSelectorMode":"","XsltSelectorNode":""},"RecordIdProperties":{"ElementNodeId":"PSEN-10007484","ParentId1":"Login","ParentId2":"","ParentId3":"","CanvasObjectId":"PCN-10000989"},"EntityDetails":}}}},"ValueTransformations":}}
Service Additions.PNG
For Classic Applications login Webpage:
  • In the Button control process in the Button control in Table2 and in the Button1 control in SAMLTable there is a Login service called Request that needs the IdentityProvider node set to EASYProcess.
Button Control Process.PNG
For Classic and MVC Applications GetKey POST REST API:
There are three Login services that now have a new node called Identity Provider that needs to get filled out.
  • The EASYProcess one can be found here and is called Request. The IdentityProvider node should have the value EASYProcess.
EP Login.PNG
  • The SAML one can be found here and is called Login. The IdentityProvider node should have the value SAML.
SAML Login.PNG
  • The OAuth one can be found here and is called Login. The IdentityProvider node should have the value OAuth.
OAuth Login.PNG
For MVC Applications EPLogin Method:
  • There is a Login service called Request that needs the IdentityProvider node set to EASYProcess.
EPLogin.PNG
EPLogin.PNG (23.06 KiB) Viewed 1821 times
EPLogin.PNG
EPLogin.PNG (23.06 KiB) Viewed 1821 times
Attachments
Patch-952.zip
(866.95 KiB) Downloaded 357 times
Patch-952.zip
(866.95 KiB) Downloaded 357 times
word count: 1026

Tags:
Locked