IG Security Advisory #202304
A security vulnerability has been discovered in supported versions of Identity Gateway (IG). This vulnerability affects IG versions prior to 2023.9, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.
Identity Cloud customers
If you have integrated IG with Identity Cloud, you should secure your IG deployment as recommended in this security advisory.
October 5, 2023
A security vulnerability has been discovered in supported versions of IG. This vulnerability affects IG versions prior to 2023.9, and could be present in older unsupported versions.
The maximum severity of issues in this advisory is Medium.
Note
The advice is to upgrade to the latest version to fix this issue.
Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.
See Upgrade for upgrade instructions.
Issue #202304-01 (CWE-325)
| Affected versions | IG 2023.6 and earlier (all supported versions and perhaps older unsupported versions) |
|---|---|
| Fixed versions | IG 2023.9 |
| Component | Cross Domain Single Sign-On (CDSSO) |
| Severity | Medium |
Description:
A medium severity Missing Cryptographic Step (CWE-325) vulnerability has been discovered in versions of IG prior to 2023.9. It may be possible to bypass validation of some portions of the CDSSO token, which would allow a user to add extra information to their CDSSO token.
Mitigation:
None.
Resolution:
Upgrade to a fixed version.
Change Log
The following table tracks changes to the security advisory:
| Date | Description |
|---|---|
| October 5, 2023 | Initial release |