Login Vulnerability Patch
Posted: April 29th, 2022, 9:21 am
A vulnerability with SAML users has been patched as of DesignTime Revision 2252 and RunTime Revision 951.
This vulnerability patch will be applied on Monday May 2nd to the DV and QA environments on the Platform installations and on Wednesday may 4th to the PD environment on the Platform installations. Refer to the weekly revision post for exact times for the installation your tenant is on.
To apply the patch first determine if the following objects have been modified in your applications.
In the Security Application, the Login Application Process (Login.xml) has been modified.
In Classic Applications, the GetKey POST API (GetKey_POST.xml) and the Login Webpage (UI-10000112.xml) have been modified.
In MVC Applications, the GetKey POST API (GetKey_POST.xml) and the EPLogin Method (METHOD-11000001.xml) have been modified.
If an object in your application has not been modified you can check it out and override it with the respective file using the "Import From XML" button in the Developer Workbench. The files to import are attached below in a zip file called Patch-952.zip. This file contains 3 folders. One for the Security app, one for Classic Applications, and one for MVC Applications.
If an object in your application has been modified please add the following change to the respective objects after checking it out.
For the Security Application Login Application Process:
For Classic Applications login Webpage:
For Classic and MVC Applications GetKey POST REST API:
There are three Login services that now have a new node called Identity Provider that needs to get filled out.
For MVC Applications EPLogin Method:
This vulnerability patch will be applied on Monday May 2nd to the DV and QA environments on the Platform installations and on Wednesday may 4th to the PD environment on the Platform installations. Refer to the weekly revision post for exact times for the installation your tenant is on.
To apply the patch first determine if the following objects have been modified in your applications.
In the Security Application, the Login Application Process (Login.xml) has been modified.
In Classic Applications, the GetKey POST API (GetKey_POST.xml) and the Login Webpage (UI-10000112.xml) have been modified.
In MVC Applications, the GetKey POST API (GetKey_POST.xml) and the EPLogin Method (METHOD-11000001.xml) have been modified.
If an object in your application has not been modified you can check it out and override it with the respective file using the "Import From XML" button in the Developer Workbench. The files to import are attached below in a zip file called Patch-952.zip. This file contains 3 folders. One for the Security app, one for Classic Applications, and one for MVC Applications.
If an object in your application has been modified please add the following change to the respective objects after checking it out.
For the Security Application Login Application Process:
- In PreValues service add an Eval with the Name= IdentityProvider and Expression with the following code:
Code: Select all
<xsl:choose> <xsl:when test="WorkData/_Parameters/IdentityProvider!=''"> <xsl:value-of select="WorkData/_Parameters/IdentityProvider"/> </xsl:when> <xsl:when test="WorkData/Header/IdentityProvider!=''"> <xsl:value-of select="WorkData/Header/IdentityProvider"/> </xsl:when> <xsl:otherwise></xsl:otherwise> </xsl:choose>
- After the User Exists? service copy and paste the following code. It will add 4 new services IPPassedIn, IPMatch, Output, and Terminate. Take the Yes connection from the User Exists? service and attach it to the IPPassedIn service. The No of the IPPassedIn service should then be connected to the ValidateUserId service. The Yes of the IPMatch service should also be connected to the
Code: Select all
{"Entity":{"ParentIdName":"","RelationType":"","EntityId":"PCN-10000989","EntityIds":"PCN-10000989,Login,,","UniqueId":"PCN-10000989,Login,,#Entity#ProcessCanvasObject","EntityName":"IPPassedIn","TableName":"ProcessCanvasObjects","LanguageTableName":"","EntityType":"ProcessCanvasObject","DescriptionPropertyName":"ObjectName","CreatedByPropertyName":"","CreatedOnPropertyName":"","UpdatedByPropertyName":"","UpdatedOnPropertyName":"","IdPropertyName":"CanvasObjectId","Type":"ProcessCanvasObject","Id":"PCN-10000989,Login,,","Properties":{"AllowExit":"","Built":"","CanvasObjectId":"PCN-10000989","CatchException":"","ConfigurationInstance":"","CustomColor":"0","DataKey":"","DataSize":"0","Document":"","ECCTimeout":"0","ExceptionConnector":"","ExceptionConnectorName":"E","ExecuteRemotely":"","ExecuteThroughECC":"","ExitTemplate":"","FromRecord":"","Height":"60","IsMultiThreaded":"","KeepEntireOutput":"","KeepExistingOutput":"No","LoadOutputInText":"","MarkItSkip":"","MaxNumberOfThreads":"","ObjectDescription":"IPPassedIn","ObjectIndex":"0","ObjectName":"IPPassedIn","ObjectType":"","OutputToTempWorkData":"","OverrideExistingOutput":"","ParentId1":"Login","ParentId2":"","ParentId3":"","Processed":"","RemoteEnterpriseServer":"","RemoteEnterpriseServerPort":"","RemoteEnterpriseServerTimeout":"","RemoteExecution":"","RemoteExecutionAddress":"","RemovePreviousOutput":"","ResetLoop":"","RESTIsArray":"","RESTOutput":"","RESTOutputName":"","SaveInLoop":"","SaveResultToDatabase":"","SelectOutput":"","ServiceName":"BinaryDecision","ServiceXml":"<ServiceXml><Service Id=\"IPPassedIn\" Name=\"BinaryDecision\" Workshop=\"ProcessFlowWorkshop\" OverrideExistingOutput= \"False\" KeepExistingOutput= \"False\" KeepEntireOutput=\"\" RemovePreviousOutput=\"FalseTrue\" DataKey = \"\"><BinaryDecision><Tests><Test IsArray=\"True\" Index=\"1\"><AndOr></AndOr><LeftClause>WorkData/PreValues/Output/Result/IdentityProvider</LeftClause><Operator>!=</Operator><Type>String</Type><RightClause>*BLANKS</RightClause></Test></Tests></BinaryDecision></Service></ServiceXml>","SOAPOutput":"","SOAPOutputName":"","Status":"","TabName":"","TempWorkDataName":"","TopLevelElements":"","ToRecord":"","Width":"160","WorkshopName":"ProcessFlowWorkshop","XPos":"200","XsltSelector":"","XsltSelectorMode":"","XsltSelectorNode":"","YesOnRight":"true","YPos":"830"},"RecordIdProperties":{"CanvasObjectId":"PCN-10000989","ParentId1":"Login","ParentId2":"","ParentId3":""},"EntityDetails":{"Entity":{"ParentIdName":"CanvasObjectId,ParentId1,ParentId2,ParentId3","RelationType":"","EntityId":"PSEN-10007483","EntityIds":"PSEN-10007483,Login,,,PCN-10000989","UniqueId":"PSEN-10007483,Login,,,PCN-10000989#Entity#ProcessServiceElementNode","EntityName":"BinaryDecision","TableName":"ProcessServiceElementNodes","LanguageTableName":"","EntityType":"ProcessServiceElementNode","DescriptionPropertyName":"ChildElement","CreatedByPropertyName":"","CreatedOnPropertyName":"","UpdatedByPropertyName":"","UpdatedOnPropertyName":"","IdPropertyName":"ElementNodeId","Type":"ProcessServiceElementNode","Id":"PSEN-10007483,Login,,,PCN-10000989","Properties":{"CanvasObjectId":"PCN-10000989","ChildElement":"BinaryDecision","Data":"","DesignData":"","DesignMode":"","Document":"","ElementNodeId":"PSEN-10007483","ErrorMessage":"","ForEachNode":"","Index":"0","MultipleIndex":"","ParentElement":"","ParentElementNode":"","ParentId1":"Login","ParentId2":"","ParentId3":"","ServiceElement":"BinaryDecision","ServiceName":"BinaryDecision","Status":"","ValidXml":"","WorkshopName":"ProcessFlowWorkshop","XsltSelector":"","XsltSelectorMode":"","XsltSelectorNode":""},"RecordIdProperties":{"ElementNodeId":"PSEN-10007483","ParentId1":"Login","ParentId2":"","ParentId3":"","CanvasObjectId":"PCN-10000989"},"EntityDetails":{"Entity":{"ParentIdName":"CanvasObjectId,ParentId1,ParentId2,ParentId3","RelationType":"","EntityId":"PSEN-10007484","EntityIds":"PSEN-10007484,Login,,,PCN-10000989","UniqueId":"PSEN-10007484,Login,,,PCN-10000989#Entity#ProcessServiceElementNode","EntityName":"Tests","TableName":"ProcessServiceElementNodes","LanguageTableName":"","EntityType":"ProcessServiceElementNode","DescriptionPropertyName":"ChildElement","CreatedByPropertyName":"","CreatedOnPropertyName":"","UpdatedByPropertyName":"","UpdatedOnPropertyName":"","IdPropertyName":"ElementNodeId","Type":"ProcessServiceElementNode","Id":"PSEN-10007484,Login,,,PCN-10000989","Properties":{"CanvasObjectId":"PCN-10000989","ChildElement":"Tests","Data":"","DesignData":"<Array Path=\"Test\"><Mode>Static</Mode><DynamicType/><LoopNode/><Raw><Test>\n\t<AndOr></AndOr>\n\t<LeftClause></LeftClause>\n\t<Operator>\n\t\t=</Operator>\n\t\t\t<Type>String</Type>\n\t\t\t<RightClause></RightClause>\n\t\t</Test>\n\t\t</Raw><Values><Value Index=\"1\"><Nodes><Node><Path>Test/AndOr</Path><Value/></Node><Node><Path>Test/LeftClause</Path><Value>WorkData/PreValues/Output/Result/IdentityProvider</Value></Node><Node><Path>Test/Operator</Path><Value>!=</Value></Node><Node><Path>Test/Type</Path><Value>String</Value></Node><Node><Path>Test/RightClause</Path><Value>*BLANKS</Value></Node></Nodes></Value></Values><Nodes><Node><Path>Test/Operator</Path><Value>=</Value></Node><Node><Path>Test/Type</Path><Value>String</Value></Node></Nodes></Array>","DesignMode":"Tree","Document":"","ElementNodeId":"PSEN-10007484","ErrorMessage":"","ForEachNode":"","Index":"0","MultipleIndex":"0","ParentElement":"BinaryDecision","ParentElementNode":"PSEN-10007483","ParentId1":"Login","ParentId2":"","ParentId3":"","ServiceElement":"Tests","ServiceName":"BinaryDecision","Status":"","ValidXml":"True","WorkshopName":"ProcessFlowWorkshop","XsltSelector":"","XsltSelectorMode":"","XsltSelectorNode":""},"RecordIdProperties":{"ElementNodeId":"PSEN-10007484","ParentId1":"Login","ParentId2":"","ParentId3":"","CanvasObjectId":"PCN-10000989"},"EntityDetails":}}}},"ValueTransformations":}}
- In the Button control process in the Button control in Table2 and in the Button1 control in SAMLTable there is a Login service called Request that needs the IdentityProvider node set to EASYProcess.
There are three Login services that now have a new node called Identity Provider that needs to get filled out.
- The EASYProcess one can be found here and is called Request. The IdentityProvider node should have the value EASYProcess.
- The SAML one can be found here and is called Login. The IdentityProvider node should have the value SAML.
- The OAuth one can be found here and is called Login. The IdentityProvider node should have the value OAuth.
- There is a Login service called Request that needs the IdentityProvider node set to EASYProcess.
- EPLogin.PNG (23.06 KiB) Viewed 1446 times
- EPLogin.PNG (23.06 KiB) Viewed 1446 times