Hi,
As Bill has mentioned I will be taking care of 2.5 branch that includes
1- Create Jira issue for this issue
2- Apply the patch on rel-2-5-patches tag 2-5-3-1-RC1 and request to
test it.
3- Tag 2-5-3-1-GA after successful test reports.
4- Post the security notice and patch somewhere appropriate on the
uPortal wiki. (Suggestions are welcome for the appropriate place)
5- Build the uPortal-only and quick start for 2-5-3-1-GA (Since
this is a critical bug I think we should do this step).
6- update the website
7- Announce the availability of 2-5-3-1-GA on the user list.
Note: I have not created the quick start and never updated the website
before, I will be very happy to get any to do task list or any advice.
Thanks every one.
Faizan
William G. Thompson, Jr. wrote:
Folks,
Faizan will be working up a SECURITY release for the 2.5 branch this
week and Andrew is taking care of the 2.6 branch.
Bill
William G. Thompson, Jr. wrote:
This is a public notification of an identified uPortal security
vulnerability and workaround. All uPortal adopters are encouraged to
review the following notice immediately and take appropriate action as
necessary.
---
*Title:*
RemoteUserSecurityContext exploit
*Summary:*
RemoteUserSecurityContext may allow an authenticated user to
authenticate as another user knowing only that user's account name. A
patch for this vulnerability is attached to this message.
*Issue:*
The vulnerability is exposed when the RemoteUserSecurityContextFactory
is used in conjunction with another security context factory under the
UnionSecurityContextFactory. The result of this configuration is any
user that can access uPortal with REMOTE_USER set can become any other
portal user.
If authentication is attempted with the other security context the
provided user id will be set on the principal, when the
RemoteUserSecurityContext executes it attempts to set the user id of the
principal to the REMOTE_USER and returns that the principal is
authenticated. Since the principal already has a user id set the setting
by RemoteUserSecurityContext fails silently, resulting in an
authenticated principal with the user id provided by the attacker, not
the value specified in the REMOTE_USER field.
An example vulnerable configuration from security.properties:
root=org.jasig.portal.security.provider.UnionSecurityContextFactory
root.a=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory
root.b=org.jasig.portal.security.provider.SimpleSecurityContextFactory
*Versions Affected:*
All (2.0, 2.1, 2.2, 2.3, 2.4, 2.5)
*Resolution:*
The resolution involves adding a check to RemoteUserSecurityContext to
verify the setting of the REMOTE_USER user id was successful for the
principal. If it was not the RemoteUserSecurityContext will not mark the
principal as authenticated.
*Patching:*
The attached patch should be applied to the file
/uPortal/source/org/jasig/portal/security/provider/RemoteUserSecurityContext.java
After application of the patch compile and deploy the file to the
application server.
---
--
Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in
Denver, CO USA.
Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay
Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity
Management, and Open Source
For more information & registration visit:
http://www.ja-sig.org/conferences/07summer/index.html
---
You are currently subscribed to [email protected] as: [EMAIL
PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
--
Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in
Denver, CO USA.
Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay
Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity
Management, and Open Source
For more information & registration visit:
http://www.ja-sig.org/conferences/07summer/index.html
---
You are currently subscribed to [email protected] as: [EMAIL
PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
--
Faizan Ahmed
Sr. Application Developer
Enterprise Systems and Services, Rutgers University
voice: 732 445-2763 | fax: 732 445-5493 |e-mail: [EMAIL PROTECTED]
--
Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in
Denver, CO USA.
Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay
Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity
Management, and Open Source
For more information & registration visit:
http://www.ja-sig.org/conferences/07summer/index.html
---
You are currently subscribed to [email protected] as: [EMAIL
PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
