Race condition in org.apereo.cas.support.oauth.web.endpoints.OAuth20CallbackAuthorizeEndpointController

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Race condition in org.apereo.cas.support.oauth.web.endpoints.OAuth20CallbackAuthorizeEndpointController

Timur Evdokimov

Hi all,

 

Seems like commit  0b465e34b6ff594a177fa9118c87a13cff349374 (July 18th 2019) has introduced a dangerous race condition in

OAuth20CallbackAuthorizeEndpointController.

 

Before, ‘callback’ was created per request, now it is shared among all threads accessing it.

As a result, callback.getRedirectUrl() sometimes returns the same value for two or more threads accessing it.

 

It looks rather like a high profile security issue, since redirect URL contains ‘state’ value that would allow one user to impersonate another, should they hit CAS at the same millisecond.

 

Kind regards,
Tim

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/F7C333C2-8EDB-4616-BE92-E24622948C6C%40ebay.com.
Reply | Threaded
Open this post in threaded view
|

Re: Race condition in org.apereo.cas.support.oauth.web.endpoints.OAuth20CallbackAuthorizeEndpointController

Timur Evdokimov

My apologies, correct commit ID is b1cbcb2a1b305fb915be3dac65e130da315772c0.

 

PR to address the issue:

https://github.com/apereo/cas/pull/4253

 

 

 

From: "'Evdokimov, Timur(AWF)' via CAS Developer" <[hidden email]>
Reply to: "Evdokimov, Timur(AWF)" <[hidden email]>
Date: Friday, 6 September 2019 at 13:21
To: "[hidden email]" <[hidden email]>
Subject: [cas-dev] Race condition in org.apereo.cas.support.oauth.web.endpoints.OAuth20CallbackAuthorizeEndpointController

 

Hi all,

 

Seems like commit  0b465e34b6ff594a177fa9118c87a13cff349374 (July 18th 2019) has introduced a dangerous race condition in

OAuth20CallbackAuthorizeEndpointController.

 

Before, ‘callback’ was created per request, now it is shared among all threads accessing it.

As a result, callback.getRedirectUrl() sometimes returns the same value for two or more threads accessing it.

 

It looks rather like a high profile security issue, since redirect URL contains ‘state’ value that would allow one user to impersonate another, should they hit CAS at the same millisecond.

 

Kind regards,
Tim

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/F7C333C2-8EDB-4616-BE92-E24622948C6C%40ebay.com.

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/807AC26E-B5A6-4C7A-8154-0AFCA2B1AAE6%40ebay.com.