CVE-2014-5059 CASified uPortal security patch

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

CVE-2014-5059 CASified uPortal security patch

Andrew Petro-3
uPortal adopters,


THIS IS A SEPARATE, AND MORE SERIOUS, ISSUE THAN CVE-2014-4172 that was recently disclosed.

This is an initial vulnerability disclosure of a really serious vulnerability that will affect many uPortal environments.

Here's the deal:

* the uPortal security APIs have an execution path such that they can get confused about who the user is.
* the CasAssertionSecurityContext falls prey to this path if configured in a particular way
* the default configuration and example configuration shipping in uPortal for a long time are configuring in that particular way

**If your uPortal is using CAS authentication, it is probably vulnerable.**

The good news is there's a downright trivial change you can make your your to secure your portal immediately.

How to tell if your portal is vulnerable and how to apply the workaround is thoroughly documented here:

The uPortal 4.0.15 and 4.1.1 releases will ship with a code fix so that even uPortals not updating their will no longer be vulnerable.  Those releases are in flight and should complete today, but if you are affected you really shouldn’t wait for that process to complete to apply this fix to your

This is issue in the uPortal issue tracker.

With best wishes for low-hassle patching,



You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see