Does this affect ALL versions of the Java client prior to 3.3.2? For example, I have an application that is using 3.1.8. It's not in the 3.3.x version.
Also, is there a way to get the 3.3.2 jar without having to do a Maven build? Latest on the downloads site is 3.2.x. Thanks, Tim On 2014/08/11, 9:03 AM, "Marvin Addison" <marvin.addi...@gmail.com> wrote: >A critical security vulnerability has been discovered in several Jasig >CAS clients that allows URL parameter injection due to improper URL >encoding at the back-channel ticket validation step of the CAS >protocol. The following CVE number has been assigned to track this >vulnerability: > >CVE-2014-4172 > >Affected Software >---------------------------------------- >Jasig Java CAS Client >Vulnerable versions: <3.3.2 >Fix version: 3.3.2, http://search.maven.org/#browse%7C1586013685 > >.NET CAS Client >Vulnerable versions: <1.0.2 >Fix version: 1.0.2, >http://downloads.jasig.org/cas-clients/dotnet/dotnet-client-1.0.2-bin.zip > >phpCAS >Vulnerable versions: <1.3.3 >Fix version: 1.3.3, >http://downloads.jasig.org/cas-clients/php/1.3.3/CAS-1.3.3.tgz > >There may be other CAS clients that are vulnerable. > >Impact >---------------------------------------- >The nature of the vulnerability allows malicious remote (network) >agents to craft attack URLs that bypass security constraints of the >CAS protocol. The following attack scenarios are known and have been >demonstrated: > >1. A malicious service that can obtain a valid ticket can use it to >access another service in violation of the CAS protocol requirement >that a ticket issued for a service can only be used to access the >service for which the ticket was granted. This type of access amounts >to an illicit proxy: the attacker is proxying authentication for the >target. >2. A malicious user can request a ticket for service A and use it to >access service B with the access privileges of A. > >Attacks like scenario 1 could result in unauthorized data disclosure, >while scenario 2 could result in privilege escalation. Other attack >scenarios may be possible. > >Remediation >---------------------------------------- >Upgrade affected CAS clients as soon as possible. Consider mitigation >if upgrading is not possible. > >Mitigation >---------------------------------------- >The CAS Service Management facility [1], which is enabled by default, >can be used to restrict services that are permitted to use CAS (i.e. >allowed to request tickets). Whitelisting trusted services can reduce >the scope of attacks like scenario 1 above. > >The following servlet filter may provide additional defense at the CAS >server against some forms of this attack: > >https://github.com/Jasig/cas-server-security-filter/tree/cas-server-securi >ty-filter-1.0.0 > >Best, >Marvin Addison >CAS Developer > >[1] http://jasig.github.io/cas/4.0.0/installation/Service-Management.html > >-- >You are currently subscribed to cas-user@lists.jasig.org as: >tim.mclaugh...@wwu.edu >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
