Per Leimeng of Portal Team:

Hello Partners,

Please confirm that all your application’s access is via the Portal and the users are not directly accessing your application. If the access via Portal, then you are fine. If you have chosen to expose the login page of your app directly to users then please be aware that we found a critical security vulnerability with the login page.

The Portal team has fixed the security vulnerability in the SDK version 1.3.2. Most of you have already been using 1.3.0 SDK version, so we recommend upgrading to 1.3.2 soon in the next Beijing release to take advantage of the fix. The 1.3.2 version is backward compatible so it should as simple as changing the SDK version reference in your pom file.

What is the issue?

The partnering apps using backdoor like login page to access the apps and the login page has vulnerability for SQL injection.

How to fix it?

Removing the backdoor login page and upgrading to the SDK 1.3.2 or latest version (as 1.3.2 version addressed the SQL injection issue).

Regards

Manoop and Leimeng

P.S. Thanks to Lumir AT&T Network Architect who brought this to our attention.