Thanks Jérôme, finally someone reasonably stopped this unfortunate conversation.
Congratulations buddies, you managed to turn a simple release announcement
containing a relevant security fix into one of the biggest bikeshedding
episodes I’ve seen recently, just because of an annoyed fella that didn’t like
the description of the CVE. Cry me a river whiny boy!
Can we get back to work now? I already updated all my CAS deployments while you
had this crappy conversation.
Cheers,
Ticini, Yuri
On Saturday, January 24, 2015 9:08 AM, Jérôme LELEU <[email protected]>
wrote:
Hi,
I planned not to interfere in this discussion, but seriously we should stop it
now.
I made the announcement and I reviewed and agreed to the CVE: so I'll take my
full part of responsability if things are not clear. I'd like to thank J. Tozo
for the time he took on this and the right approach to contact us first
privately.
This has been discussed privately within the CAS PMC. This is a security issue,
* should never be treated as a wildcard but as a single character. Thus the
CVE. I still believe it was the right think to do, even if in the lights of
your last comments, it was too alarming.
My annoucement said:You must notice that there is a security fix for the "LDAP
login with wilcards" attack (CVE-2015-1169). You must upgrade if you use LDAP
authentication
It was broadcasted with other bugfixes and feature backports, meaning it's not
a critical vulnerability. Otherwise, there would have been a dedicated
communication.No "critical" word. Maybe I should have said "minor". I did not
say "you should upgrade NOW!".I think "LDAP login with wildcards" is a
reasonable description.I thought all handlers were LDAP vulnerable but this is
not the case. Yes, I was wrong.
I don't think we can always imagine all use cases and data topology, so one
must be careful and upgrade to 3.5.3, even it's not in a hurry. If we haven't
created a CVE, I'm sure someone would have blame us for that.
But, above all, I'd like to remind you about the great efforts and the good
will of the volunteers of the CAS community. We deserve more clemency (we are
not all in the same timezones and are not all fluent in English) and courtesy.
Best regards,
Jérôme LELEUFounder of CAS in the cloud: www.casinthecloud.com | Twitter:
@leleujChairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org
2015-01-24 2:50 GMT+01:00 Paul B. Henson <[email protected]>:
> From: J. Tozo
> Sent: Friday, January 23, 2015 3:35 PM
>
> http://www-01.ibm.com/support/docview.wss?uid=swg21682946
Nice try (just to be polite), but sorry, fail.
The title of the IBM bulletin is "Brute-force attack in ClearQuest Web". The
detailed description is "IBM Rational ClearQuest could allow a remote attacker
to bypass security restrictions, caused by an error in the login form. An
attacker could exploit this vulnerability using brute-force techniques to gain
access to a user's account."
The actual CVE (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3101)
description is "The login form in the Web component in IBM Rational ClearQuest
7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not
insert a delay after a failed authentication attempt, which makes it easier for
remote attackers to obtain access via a brute-force attack."
So exactly what in any of that are you interpreting as "bypassing
authentication"? While the IBM description does indeed include the word
"bypass" (but note the actual CVE does not), it says the issue allows you "to
bypass security restrictions", not "bypass authentication".
If you actually read the bulletin, you will see the problem under discussion is
that the web form did not have any mechanism to alleviate against a brute force
attack. You could feed it usernames and passwords as fast as the network would
allow you to. Honestly, I don't even know if that could be classified as an
"error in the login form" so much as the lack of an anti-brute forcing feature.
While you did manage to find a document that contained the words "bypass",
"bruteforce", and "authentication", it really has no bearing on your CVE nor in
any way supports or defends your position that your CVE in any way describes a
vulnerability that "bypasses authentication". For the most part, your
presentation of this document simply further solidifies my opinion on your lack
of understanding of security concepts and basic terminology, as well as your
inability to analyze and properly classify security vulnerabilities.
But feel free to try again. I suppose shooting fish in a barrel isn't very
sportsmanlike, but sometimes it does offer a perverse level of enjoyment. And
perhaps is even a bit cathartic after the annoyance you caused me yesterday
morning.
--
Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/
Operating Systems and Network Analyst | [email protected]
California State Polytechnic University | Pomona CA 91768
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
