Situation

Software issue #POA-106802 allows OA users communicate Domain SDK endpoint without authentication.

Impact

Users of an OA system who have access to the backnet network can communicate with Domain SDK endpoint without authorization. This may lead to situation when, for example, malicious shared hosting user can try exploiting potential weaknesses in current or future Domain plugins or Domain SDK framework it-self. It is worth to note that there is no known security weaknesses in Domain SDK / plugins that can be immediately exploited this way.

Solution

The fix is planned to be included in one of the future product updates. Until the fix is released, please use the workaround below:

One the Domain SDK service node:

  1. Backup the configuration file:

    # cp /etc/httpd.d/conf.d/pa-domain-sdk.conf{,.backup}
    
  2. Open the original file and find the line:

    <VirtualHost>
    
  3. Add the following snippet after it:

    <Location />  
     Order deny,allow  
     Deny from all  
     Allow from 192.0.2.2
    </Location>
    

    , where 192.0.2.2 is the communication (internal) IP address of management node.

  4. Reload the HTTPD service:

    # /etc/init.d/httpd reload 
    

Call to Action

Odin takes the security of our customers very seriously. To avoid the potential risks customers are encouraged to apply the suggested workaround and install the fix as soon as it is released.

Internal content