Response to CVE-2014-8489: PingFederate 6.10.1 SP Endpoints

Back
December 10, 2014

As part of our dedication to excellence, Ping Identity values feedback about our products. Mr. Wang Jing identified a vulnerability in our product PingFederate 6.10.1. This vulnerability was publicized by Mr. Jing in his blog and seclists.org on December 9, 2014. We would like to inform the public and our customers that this particular vulnerability was addressed and remediated by Ping Identity in June 2014, and made public in a security bulletin in July 2014. See SECBL003 -  "Security vulnerability with Target Resource Validation" posted on July 7, 2014 for more information.

 

At Ping Identity, we do our best to thoroughly test our code, knowing it is impossible to test every software combination and permutation across our customer environments. It is therefore critical for us to receive feedback on any security, or suspected security, issues so that we can perform our due diligence in making our products the most secure they can be.

 

We understand that any reports of vulnerabilities can be unsettling. Therefore, should you have any issues or concerns, please contact Ping Identity Customer Support.

 

Ping Identity Customer Support

 

Email:  support@pingidentity.com

 

Customer portal:  https://ping.force.com/Support

 

Phone:  International: +1 303-468-2857 | North America (toll free): 855-355-7464 (PING)