September 2024 Security Advisories
Here's a list of the security advisories for 2024.
Ruby SAML gem component authentication bypass vulnerability
The Ruby SAML gem is affected by an authentication bypass vulnerability, which impacts the Illumio PCE in both SaaS and on-premises deployments. An authenticated attacker could potentially leverage this vulnerability to authenticate as another SAML user. For SaaS customers, the target user can be in a different org and on a different cluster.
Severity
Critical: CVSS score is 9.9
CVSS: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected Products and Patch Information
Security vulnerabilities addressed by this Security Alert affect the products listed below.
Affected Products | Affected Versions | Fixed Version |
|---|---|---|
Illumio Core PCE | <= 21.5.36 | >= 21.5.37 |
<= 22.2.42 | >= 22.2.43 | |
<= 22.5.32 | >= 22.5.34 | |
<= 23.2.30 | >= 23.2.31 | |
<= 23.5.21 | >= 23.5.22 | |
<= 24.2.0 | >= 24.2.10 |
Resolution
Upgrade to the latest release for a given major version.
References
Skipped Critical Patch Updates
Illumio strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.
Discovered By
External Security Firm
Frequently Asked Questions
What software components are affected?
Only the Illumio PCE is impacted by this vulnerability.
What products did this affect?
This vulnerability impacts the PCE, including Core on-premises deployments, Core SaaS, Endpoint, MSP, and Edge.
Is Core SaaS affected?
SaaS PCE clusters were impacted. Those environments have been patched.
I’m using Cloud. Am I impacted?
The Cloud platform is not affected.
Will the patch affect performance?
The update is not expected to affect performance.
How can I tell if this vulnerability was used against my on-premises PCE?
Illumio is creating queries that can be used by customers to detect known vectors for exploitation of this vulnerability. Please contact Illumio Support or your account team for assistance. If you suspect this vulnerability was used within your environment, please reach out to Illumio Support.
Has Illumio investigated if this vulnerability was used on any SaaS PCEs?
Illumio is currently investigating all available data from the production SaaS environment and has so far found no indications that the issue has been exploited.
I can’t apply the patch immediately. How can I mitigate the issue in the meantime?
This vulnerability requires SAML to be enabled on the customer's PCE in order to be exploited. Customers who cannot patch their PCEs immediately, and who wish to mitigate this issue, can choose to disable SAML authentication on the PCE. For details, see the "Authentication" topic in the PCE Administration Guide. Additionally, customers can enable IP restrictions to limit access to only trusted source IPs (for example, for privileged accounts). For details, see the "Configure Access Restrictions and Trusted Proxy IPs" topic in the PCE Administration Guide.
How long will the upgrade take?
The fix will be provided in a normal code release so this will take the same amount of time as any PCE upgrade.
Were any Illumio customers impacted by this vulnerability?
Illumio is not aware of any exploitation of this vulnerability within any customer environments.
Modification History
September, 2024: Initial Publication of CVE