Hi, I planned not to interfere in this discussion, but seriously we should stop it now.
I made the announcement and I reviewed and agreed to the CVE: so I'll take my full part of responsability if things are not clear. I'd like to thank J. Tozo for the time he took on this and the right approach to contact us first privately. This has been discussed privately within the CAS PMC. This is a security issue, * should never be treated as a wildcard but as a single character. Thus the CVE. I still believe it was the right think to do, even if in the lights of your last comments, it was too alarming. My annoucement said: You must notice that there is a security fix for the "LDAP login with wilcards" attack (CVE-2015-1169). *You must upgrade if you use LDAP authentication* It was broadcasted with other bugfixes and feature backports, meaning it's not a critical vulnerability. Otherwise, there would have been a dedicated communication. No "critical" word. Maybe I should have said "minor". I did not say "you should upgrade NOW!". I think "LDAP login with wildcards" is a reasonable description. I thought all handlers were LDAP vulnerable but this is not the case. Yes, I was wrong. I don't think we can always imagine all use cases and data topology, so one must be careful and upgrade to 3.5.3, even it's not in a hurry. If we haven't created a CVE, I'm sure someone would have blame us for that. But, above all, I'd like to remind you about the great efforts and the good will of the volunteers of the CAS community. We deserve more clemency (we are not all in the same timezones and are not all fluent in English) and courtesy. Best regards, Jérôme LELEU Founder of CAS in the cloud: www.casinthecloud.com | Twitter: @leleuj Chairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org 2015-01-24 2:50 GMT+01:00 Paul B. Henson <hen...@csupomona.edu>: > > From: J. Tozo > > Sent: Friday, January 23, 2015 3:35 PM > > > > http://www-01.ibm.com/support/docview.wss?uid=swg21682946 > > Nice try (just to be polite), but sorry, fail. > > The title of the IBM bulletin is "Brute-force attack in ClearQuest Web". > The detailed description is "IBM Rational ClearQuest could allow a remote > attacker to bypass security restrictions, caused by an error in the login > form. An attacker could exploit this vulnerability using brute-force > techniques to gain access to a user's account." > > The actual CVE ( > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3101) description > is "The login form in the Web component in IBM Rational ClearQuest 7.1 > before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not > insert a delay after a failed authentication attempt, which makes it easier > for remote attackers to obtain access via a brute-force attack." > > So exactly what in any of that are you interpreting as "bypassing > authentication"? While the IBM description does indeed include the word > "bypass" (but note the actual CVE does not), it says the issue allows you > "to bypass security restrictions", not "bypass authentication". > > If you actually read the bulletin, you will see the problem under > discussion is that the web form did not have any mechanism to alleviate > against a brute force attack. You could feed it usernames and passwords as > fast as the network would allow you to. Honestly, I don't even know if that > could be classified as an "error in the login form" so much as the lack of > an anti-brute forcing feature. > > While you did manage to find a document that contained the words "bypass", > "bruteforce", and "authentication", it really has no bearing on your CVE > nor in any way supports or defends your position that your CVE in any way > describes a vulnerability that "bypasses authentication". For the most > part, your presentation of this document simply further solidifies my > opinion on your lack of understanding of security concepts and basic > terminology, as well as your inability to analyze and properly classify > security vulnerabilities. > > But feel free to try again. I suppose shooting fish in a barrel isn't very > sportsmanlike, but sometimes it does offer a perverse level of enjoyment. > And perhaps is even a bit cathartic after the annoyance you caused me > yesterday morning. > > -- > Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ > Operating Systems and Network Analyst | hen...@cpp.edu > California State Polytechnic University | Pomona CA 91768 > > > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > lel...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
