Author: ilgrosso Date: Mon Jul 7 11:09:33 2014 New Revision: 1608410 URL: http://svn.apache.org/r1608410 Log: Publising updated security page
Modified: syncope/site/security.html Modified: syncope/site/security.html URL: http://svn.apache.org/viewvc/syncope/site/security.html?rev=1608410&r1=1608409&r2=1608410&view=diff ============================================================================== --- syncope/site/security.html (original) +++ syncope/site/security.html Mon Jul 7 11:09:33 2014 @@ -8,7 +8,7 @@ <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="author" content="Apache Syncope Documentation Team" /> - <meta name="Date-Revision-yyyymmdd" content="20140703" /> + <meta name="Date-Revision-yyyymmdd" content="20140707" /> <meta http-equiv="Content-Language" content="en" /> <title>Apache Syncope - Security Advisories</title> @@ -143,7 +143,7 @@ <iframe src="http://www.facebook.com/plugins/like.php?href=http://syncope.apache.org/&send=false&layout=button_count&show-faces=false&action=like&colorscheme=dark" scrolling="no" frameborder="0" - style="border:none; width:100px; height:20px; margin-top: 10px;" class="pull-right" ></iframe> + style="border:none; width:80px; height:20px; margin-top: 10px;" class="pull-right" ></iframe> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> @@ -238,38 +238,83 @@ under the License. --> <div class="section"> -<h3>CVE-2014-0111: Remote code execution by an authenticated administrator<a name="CVE-2014-0111:_Remote_code_execution_by_an_authenticated_administrator"></a></h3> - -<p>In the various places in which Apache Commons JEXL expressions are allowed (derived schema definition, user / role templates, account links of resource mappings) a malicious administrator can inject Java code that can be executed remotely by the JEE container running the Apache Syncope core.</p> +<h3>CVE-2014-3503: Insecure Random implementations used to generate passwords<a name="CVE-2014-3503:_Insecure_Random_implementations_used_to_generate_passwords"></a></h3> + +<p>A password is generated for a user in Apache Syncope under certain circumstances, when no existing password + is found. However, the password generation code is relying on insecure Random implementations, which means + that an attacker could attempt to guess a generated password.</p> + +<p> + <b>Affects</b> + </p> + +<p> + </p> +<ul> + +<li>Releases 1.1.0 to 1.1.7</li> + </ul> + - -<p><b>Affects</b></p> - + <p> - </p> + <b>Fixed in</b> + </p> + +<p> + </p> <ul> - + +<li>Revision <a class="externalLink" href="http://svn.apache.org/viewvc?view=revision&revision=r1596537">1596537</a></li> + +<li>Release 1.1.8</li> + </ul> + + + +<p>Read the <a class="externalLink" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3503">full CVE advisory</a>.</p> + </div> + + +<div class="section"> +<h3>CVE-2014-0111: Remote code execution by an authenticated administrator<a name="CVE-2014-0111:_Remote_code_execution_by_an_authenticated_administrator"></a></h3> + +<p>In the various places in which Apache Commons JEXL expressions are allowed (derived schema definition, + user / role templates, account links of resource mappings) a malicious administrator can inject Java code + that can be executed remotely by the JEE container running the Apache Syncope core.</p> + + +<p> + <b>Affects</b> + </p> + +<p> + </p> +<ul> + <li>Releases 1.0.0 to 1.0.8</li> - + <li>Releases 1.1.0 to 1.1.6</li> - </ul> - + </ul> + - -<p><b>Fixed in</b></p> - + +<p> + <b>Fixed in</b> + </p> + <p> - </p> + </p> <ul> - + <li>Revisions <a class="externalLink" href="http://svn.apache.org/viewvc?view=revision&revision=r1586349">1586349</a> / <a class="externalLink" href="http://svn.apache.org/viewvc?view=revision&revision=r1586317">1586317</a></li> - + <li>Releases 1.0.9 / 1.1.7</li> - </ul> - + </ul> + - + <p>Read the <a class="externalLink" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0111">full CVE advisory</a>.</p> </div> </div>