CVE-2021-3034

Cortex XSOAR: Secrets for SAML single sign-on (SSO) integration may be logged in system logs

Description

An information exposure through log file vulnerability exists in Cortex XSOAR software where the secrets configured for the SAML single sign-on (SSO) integration can be logged to the '/var/log/demisto/' server logs when testing the integration during setup. This logged information includes the private key and identity provider certificate used to configure the SAML SSO integration. This issue impacts: Cortex XSOAR 5.5.0 builds earlier than 98622; Cortex XSOAR 6.0.1 builds earlier than 830029; Cortex XSOAR 6.0.2 builds earlier than 98623; Cortex XSOAR 6.1.0 builds earlier than 848144.

Remediation

Solution:

  • This issue is fixed in Cortex XSOAR 5.5.0 build 98622, Cortex XSOAR 6.0.1 build 830029, Cortex XSOAR 6.0.2 build 98623, Cortex XSOAR 6.1.0 build 848144, and all later Cortex XSOAR versions. After you upgrade the Cortex XSOAR appliance, you must configure a new private key for SAML SSO integration. Clear the server system logs using the instructions provided in the Workarounds and Mitigations section to remove any potentially logged secrets.

Workaround:

  • You must configure a new private key for SAML SSO integration and you should not use the 'Test' button at any time during setup until after you complete the Cortex XSOAR upgrade. You must clear all server system log files located in the '/var/log/demisto/' directory. There may be several files in this directory, including the server.log file and other archived server logs. You can clear all server system logs by stopping the server and running the 'rm /var/log/demisto/server*.log' command from the console.

Category

5.1
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.07%
Vendor Advisory paloaltonetworks.com
Affected: Palo Alto Networks Cortex XSOAR
Published at:
Updated at:

References

Link Tags
https://security.paloaltonetworks.com/CVE-2021-3034 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-3034?
CVE-2021-3034 has been scored as a medium severity vulnerability.
How to fix CVE-2021-3034?
To fix CVE-2021-3034: This issue is fixed in Cortex XSOAR 5.5.0 build 98622, Cortex XSOAR 6.0.1 build 830029, Cortex XSOAR 6.0.2 build 98623, Cortex XSOAR 6.1.0 build 848144, and all later Cortex XSOAR versions. After you upgrade the Cortex XSOAR appliance, you must configure a new private key for SAML SSO integration. Clear the server system logs using the instructions provided in the Workarounds and Mitigations section to remove any potentially logged secrets.
Is CVE-2021-3034 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-3034 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-3034?
CVE-2021-3034 affects Palo Alto Networks Cortex XSOAR.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.