Edge module tenant header injection
Ladisch, Julian 06 Jul 2022 16:44 EDT
Hi,
on behalf of the FOLIO Security Team I inform about a security vulnerability:
Many edge modules have a tenant header injection security issue: https://issues.folio.org/browse/EDGCOMMON-47
Adding the X-Okapi-Tenant HTTP header to any request to the edge module overwrites the configured tenant id.
This issue is in OkapiClient.java provided by the code library edge-common. All edge-common versions before 4.3.0 are affected.
Affected edge modules:
. edge-dematic, all versions before 1.6.0 are affected
. edge-connexion is not affected because it doesn't use OkapiClient
. edge-ncip, all versions before 1.8.0 are affected
. edge-oai-pmh, all versions before 2.5.0 are affected
. edge-orders, all versions before 2.6.0 are affected
. edge-orders, all versions before 2.6.0 are affected
. edge-patron, all versions before 4.9.0 are affected
. edge-rtac, all versions before 2.5.0 are affected
. edge-lti-courses, all versions are affected, no fix available yet
Only multi-tenant installations are affected.
An edge module is only affected if the credentials (username + password) of the institutional user of that edge module are valid on
a different tenant, for example on both test tenant and production tenant.
Mitigation:
. Use different credentials for each tenant. OR
. Remove the X-Okapi-Tenant HTTP header from requests to these edge modules. OR
. Upgrade to a fixed version if available.
To discuss this vulnerability use FOLIO's #sys-ops Slack channel or contact the FOLIO Security Team:
https://wiki.folio.org/display/SEC
Julian Ladisch