December 3, 2024 at 06:55PM
SailPoint reported a critical vulnerability (CVE-2024-10905) in its IdentityIQ IAM platform, classified as a directory traversal flaw. Customers are urged to upgrade to versions 8.4p2, 8.3p5, and 8.2p8. No advisory has been issued, and the company did not respond to inquiries about possible exploits.
**Meeting Takeaways: Major Vulnerability in SailPoint IdentityIQ**
1. **Vulnerability Disclosed**: SailPoint has disclosed a critical vulnerability (CVE-2024-10905) in its Identity and Access Management platform, IdentityIQ, rated 10/10 in severity.
2. **Nature of the Flaw**: The vulnerability is classified as a directory traversal flaw (CWE-66), allowing unauthorized access to file directories. This can result in the disclosure of sensitive information and potential system compromises.
3. **Lack of Security Advisory**: At the time of the meeting, there is no security advisory accompanying the vulnerability disclosure. Details are sparse as the National Vulnerability Database (NVD) has not published a full analysis.
4. **Affected Versions**: The following versions of SailPoint IdentityIQ are known to be vulnerable:
– 8.4p1 and earlier
– 8.3p4 and earlier
– 8.2p7 and earlier
5. **Recommended Updates**: Customers are advised to upgrade to the following patched versions to mitigate the vulnerability:
– 8.4p2
– 8.3p5
– 8.2p8
6. **Customer Base**: SailPoint has a robust customer base, including prominent organizations such as BNP Paribas, Toyota Europe, Philips, Home Depot, General Motors, and a major European central bank.
7. **CISA’s Stance**: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) previously emphasized the importance of addressing directory traversal flaws, urging vendors to adopt secure-by-design principles in software development.
8. **Inquiry to SailPoint**: The Register reached out to SailPoint regarding the absence of a security advisory and awareness of any successful exploit attempts but did not receive an immediate response.
**Action Items**:
– Ensure affected systems are updated to the recommended versions as soon as possible.
– Monitor for any further communications from SailPoint regarding this vulnerability.