uPortal developers,
A critical security vulnerability has today been disclosed as affecting all previous versions of the Jasig Java CAS Client, including the Java CAS Client library shipping in all recent versions of uPortal. That uPortal was shipping a vulnerable Java CAS Client version is tracked in UP-4205. This is CVE-2014-4172 and amounts to a defeat of the CAS protocol feature whereby uPortal identifies itself to the CAS server so the CAS server can confirm that the CAS Service Ticket being validated was issued for the purpose of authenticating to uPortal (rather than to some other service). The upshot is that with this vulnerability in place, an Adversary having gained access to a Service Ticket valid for authenticating to any application can use that Service Ticket to authenticate to uPortal. So, in practice, one might exploit this by compromising some CAS-using host and thereby gaining access to a stream of Service Tickets as users authenticate to it. More information is available at https://lists.wisc.edu/read/messages?id=33836937. Adopters can immediately block this vulnerability by replacing their Java CAS Client .jar files with the latest release from the CAS project. This can be done through manual heroics now and can be done purely through updating Maven pom.xml configuration (and re-building and re-deploying, of course) as soon as the fixed Java CAS client .jar hits Maven Central. (Some CAS clients other than the Java CAS Client will also be affected by this vulnerability such that adopters using novel CAS integrations different from that shipping in uPortal may, or may not, be vulnerable.) One of the purposes of the forthcoming uPortal 4.0.15 and 4.1.1 patch releases is to ship uPortal releases including a fixed version of the Java CAS Client such that adopters of these releases need not locally patch their CAS server to block this vulnerability. Kind regards, Andrew -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/uportal-dev
