Follow

Signed Launch Link Security Vulnerability

Avatar

Announced: 2020-06-25

 

Vulnerability

A flaw exists in the API v2 OAuth access token scope evaluation. 

Tokens generated in API responses for signed launch links can be used as highly privileged API access tokens, allowing an attacker to carry out unauthorized API operations.

Impacted Versions

20.1.5.89 and below

2019.1.18.505 and below

2018.1.26.575 and below

Customers Impacted

This vulnerability only impacts customers that meet all of the following criteria:

  • Engine is version 2018.1 or above
  • The v2 API is enabled (which is the default for these versions, but can be configured with the ApiEnableV2 setting)
  • Signed launch links are currently in use

Note: Customers that do not expose the Engine v2 API publicly are at a lower risk. As well, signed launch link tokens typically have a short expiration time.

Discovery Date

2020-06-18

Mitigations

No recommended mitigations have been identified. Remediation requires upgrading to a fixed version. 

Fixed Date

2020-06-24

Fixed Versions

20.1.6.108

2019.1.19.509

2018.1.27.581

Exploit Use Identification

Unless an environment is configured to capture and log HTTP request headers, or full debug logging was previously enabled, conclusive evidence of this vulnerability being exploited is unattainable. 

Access logs should be reviewed specifically for non-launch related api requests initiated from unusual IP addresses. After upgrading to a fixed version, access logs should be monitored for API requests that fail authorization. Positive results, in either case, may indicate attempts to exploit this vulnerability.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Powered by Zendesk