To: All Fischer Customers
Publish Date: 5/12/2020
Fischer Identity’s Quality Control team has identified a security vulnerability affecting certain connectors within the Fischer Identity Suite version 7.4.10 and prior. This issue was immediately escalated and our development team has fixed the vulnerability in the latest 7.4.11 release
What was found?
Our Quality Control team identified that connected system details were not encrypted at rest within our database table and while in transit to the Global Identity Gateway (GIG), potentially exposing the details to individuals whom have access to the Fischer database tables and if a bad actor intercepted the data as it was passed from the database to the GIG. At no time was sensitive user data exposed.
The connectors and associated properties isolated to this vulnerability are:
Connector |
Exposed Property |
Box |
Access Token |
Office365 REST |
Access Token |
WebEx Teams |
Access Token |
Azure AD |
Client Secret |
EventPro |
API Key |
Google Apps |
RSA Private Key |
Canvas LMS |
Access Token |
For our Fischer IaaS cloud customers, rest assured we have strict access controls to our database that ensures only key personnel within our organization have access. Additionally, a bad actor would have had to intercept communications to the GIG.
What is the risk?
We take all security vulnerabilities very seriously. We do consider the exploitability as low, however impact if exploited since the information is accessible only by those individuals whom have access to the Fischer database tables, typically administrative users, or by a bad actor maliciously attempting to intercept the data. If SSL is in use, the information would not have been transmitted in the clear.
What is the best way to remedy this issue?
The best course of action is to upgrade to the latest production version of the Fischer product to ensure that this vulnerability is removed. Additionally, if you’d like us to assist in updating the tokens and keys, please let us know and we’ll be happy to assist.
Please be on the lookout for notifications from Fischer Operations regarding the logistics of your instance specific updates.
Fischer will continue to be proactive in our efforts to ensure the security of our customers is never at risk. And we will continue to evolve our products in order to improve our solutions and your end user’s experience. Thank you for continuing to trust us with your Identity Program.