Date: February 2017
Soffid engineering team has found a severe vulnerability in Soffid console component. An attacker would be able to execute arbitrary code by injecting a malformed identification token. A Soffid console upgrade has been released to address this security flaw. To protect our customers, details about the attack vector won’t be disclosed until June1st. Soffid suggests everyone to upgrade the Soffid Console and the Soffid Synchronization server to the latest version (1.7.5) prior to June 1st. We will show here how to upgrade Soffid console and get rid of this vulnerability.
Soffid Console upgrade
It is supposed that you have already a Soffid Console configured. First of all, you have to download the latest Soffid Console Installer from Soffid download manager.
Soffid download page
Save the install-1.7.5.sh file to a folder located in your server.
As soon as the install-x.y.z.sh is stored in your folder, execute it with the statement below.
bash ./install-1.7.5.sh -c
A message appears warning that Soffid Identity Manager Console. Type in going to be installed. Press [Enter] to go on.
Then the program will warn that there is already a previous installation. When it asks “Do you wish to update that installation?” type 1 to proceed:
Afterwards you are ruquired to read terms and conditions. As soon as you have finish reading all of them, accept the agreement typing Yes :
Configure Soffid Console
Next step is to configure some parameters. First step is to write your host’s simple name (without domain name)
Next, write down your domain name. Soffid IAM Console will stop the currently running console and extract files.
When the installation is finished, the screen will look like this:
Soffid IAM Console service should be stopped. Just check its status typing in your console:
service soffid-iamconsole status
Start console service with the following statement:
service soffid-iamconsole start
Now, check whether the installation was successful. Open your favourite browser and type your fully qualified name. In this example is www.demoserver.lab:8080/
Updating Sync Server
As soon as you have access to your Soffid IAM Console, log on with an user with admin rights.
Now, open a new tab browser and go to www.soffid.com/download/enterprise/ in order to download the latest Synchronization server version. Click in service pack and download will start.
Afterwards, go to your Soffid Console. Click in Main Menu→ Soffid Configuration→ Addon Management. A new screen appears. Click on upload button.
A pop up appears. It asks you for a file. Now you have to click upload and select the previous syncserver-x.y.z.jar file where x, y, z are the version number.
In order to apply changes, you have to restart sync server. You can do it from monitoring screen. Clicking at the circular arrows q, click YES and wait for a while until traffic lights are green again.
The Soffid engineering team