CVE-2014-5059 CASified uPortal security patch

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE-2014-5059 CASified uPortal security patch

Andrew Petro-3
uPortal adopters,

HEADS UP THIS IS IMPORTANT.

THIS IS A SEPARATE, AND MORE SERIOUS, ISSUE THAN CVE-2014-4172 that was recently disclosed.

This is an initial vulnerability disclosure of a really serious vulnerability that will affect many uPortal environments.

Here's the deal:

* the uPortal security APIs have an execution path such that they can get confused about who the user is.
* the CasAssertionSecurityContext falls prey to this path if configured in a particular way
* the default configuration and example configuration shipping in uPortal for a long time are configuring in that particular way

**If your uPortal is using CAS authentication, it is probably vulnerable.**

The good news is there's a downright trivial change you can make your your security.properties to secure your portal immediately.

How to tell if your portal is vulnerable and how to apply the security.properties workaround is thoroughly documented here:

http://apetro.ghost.io/uportal-cve-2014-5059-workaround/

The uPortal 4.0.15 and 4.1.1 releases will ship with a code fix so that even uPortals not updating their security.properties will no longer be vulnerable.  Those releases are in flight and should complete today, but if you are affected you really shouldn’t wait for that process to complete to apply this fix to your security.properties.

This is issue https://issues.jasig.org/browse/UP-4192 in the uPortal issue tracker.

With best wishes for low-hassle patching,

Andrew

		-- 

You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/uportal-user