Re: [uportal-dev] uPortal Security Notice: RemoteUserSecurityContext exploit
Hi! again!! I just looked at the current rel-2-5-patches head and the rel-2-5-3-GA. A quick compare gave me a significant number of differences between both code bases. That means there have been several changes that went in on 2-5-patches branch sine the release of rel-2-5-3-GA. These changes are targeted to rel-2-5-4 as JIRA pointed out. Here is what I am thinking in present situation -Branch of from tag rel-2-5-3-GA (I will call branch name rel-2-5-3-patches) -Apply the security patch in this branch and also in the head of rel-2-5-patches. The tag "rel-2-5-3-1" will be done on the newly created branch (2-5-3-patches). I will wait till 1330 EST to wait for any negative response. If I do not get any negative response about my plan by then, then I will execute my plan as I have mentioned above. Thanks. Faizan Faizan Ahmed wrote: Hi, As Bill has mentioned I will be taking care of 2.5 branch that includes 1- Create Jira issue for this issue 2- Apply the patch on rel-2-5-patches tag 2-5-3-1-RC1 and request to test it. 3- Tag 2-5-3-1-GA after successful test reports. 4- Post the security notice and patch somewhere appropriate on the uPortal wiki. (Suggestions are welcome for the appropriate place) 5- Build the uPortal-only and quick start for 2-5-3-1-GA (Since this is a critical bug I think we should do this step). 6- update the website 7- Announce the availability of 2-5-3-1-GA on the user list. Note: I have not created the quick start and never updated the website before, I will be very happy to get any to do task list or any advice. Thanks every one. Faizan William G. Thompson, Jr. wrote: Folks, Faizan will be working up a SECURITY release for the 2.5 branch this week and Andrew is taking care of the 2.6 branch. Bill William G. Thompson, Jr. wrote: This is a public notification of an identified uPortal security vulnerability and workaround. All uPortal adopters are encouraged to review the following notice immediately and take appropriate action as necessary. --- *Title:* RemoteUserSecurityContext exploit *Summary:* RemoteUserSecurityContext may allow an authenticated user to authenticate as another user knowing only that user's account name. A patch for this vulnerability is attached to this message. *Issue:* The vulnerability is exposed when the RemoteUserSecurityContextFactory is used in conjunction with another security context factory under the UnionSecurityContextFactory. The result of this configuration is any user that can access uPortal with REMOTE_USER set can become any other portal user. If authentication is attempted with the other security context the provided user id will be set on the principal, when the RemoteUserSecurityContext executes it attempts to set the user id of the principal to the REMOTE_USER and returns that the principal is authenticated. Since the principal already has a user id set the setting by RemoteUserSecurityContext fails silently, resulting in an authenticated principal with the user id provided by the attacker, not the value specified in the REMOTE_USER field. An example vulnerable configuration from security.properties: root=org.jasig.portal.security.provider.UnionSecurityContextFactory root.a=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory root.b=org.jasig.portal.security.provider.SimpleSecurityContextFactory *Versions Affected:* All (2.0, 2.1, 2.2, 2.3, 2.4, 2.5) *Resolution:* The resolution involves adding a check to RemoteUserSecurityContext to verify the setting of the REMOTE_USER user id was successful for the principal. If it was not the RemoteUserSecurityContext will not mark the principal as authenticated. *Patching:* The attached patch should be applied to the file /uPortal/source/org/jasig/portal/security/provider/RemoteUserSecurityContext.java After application of the patch compile and deploy the file to the application server. --- -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] -- Faizan Ahmed Sr.
Re: [uportal-dev] uPortal Security Notice: RemoteUserSecurityContext exploit
Hi, As Bill has mentioned I will be taking care of 2.5 branch that includes 1- Create Jira issue for this issue 2- Apply the patch on rel-2-5-patches tag 2-5-3-1-RC1 and request to test it. 3- Tag 2-5-3-1-GA after successful test reports. 4- Post the security notice and patch somewhere appropriate on the uPortal wiki. (Suggestions are welcome for the appropriate place) 5- Build the uPortal-only and quick start for 2-5-3-1-GA (Since this is a critical bug I think we should do this step). 6- update the website 7- Announce the availability of 2-5-3-1-GA on the user list. Note: I have not created the quick start and never updated the website before, I will be very happy to get any to do task list or any advice. Thanks every one. Faizan William G. Thompson, Jr. wrote: Folks, Faizan will be working up a SECURITY release for the 2.5 branch this week and Andrew is taking care of the 2.6 branch. Bill William G. Thompson, Jr. wrote: This is a public notification of an identified uPortal security vulnerability and workaround. All uPortal adopters are encouraged to review the following notice immediately and take appropriate action as necessary. --- *Title:* RemoteUserSecurityContext exploit *Summary:* RemoteUserSecurityContext may allow an authenticated user to authenticate as another user knowing only that user's account name. A patch for this vulnerability is attached to this message. *Issue:* The vulnerability is exposed when the RemoteUserSecurityContextFactory is used in conjunction with another security context factory under the UnionSecurityContextFactory. The result of this configuration is any user that can access uPortal with REMOTE_USER set can become any other portal user. If authentication is attempted with the other security context the provided user id will be set on the principal, when the RemoteUserSecurityContext executes it attempts to set the user id of the principal to the REMOTE_USER and returns that the principal is authenticated. Since the principal already has a user id set the setting by RemoteUserSecurityContext fails silently, resulting in an authenticated principal with the user id provided by the attacker, not the value specified in the REMOTE_USER field. An example vulnerable configuration from security.properties: root=org.jasig.portal.security.provider.UnionSecurityContextFactory root.a=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory root.b=org.jasig.portal.security.provider.SimpleSecurityContextFactory *Versions Affected:* All (2.0, 2.1, 2.2, 2.3, 2.4, 2.5) *Resolution:* The resolution involves adding a check to RemoteUserSecurityContext to verify the setting of the REMOTE_USER user id was successful for the principal. If it was not the RemoteUserSecurityContext will not mark the principal as authenticated. *Patching:* The attached patch should be applied to the file /uPortal/source/org/jasig/portal/security/provider/RemoteUserSecurityContext.java After application of the patch compile and deploy the file to the application server. --- -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] -- Faizan Ahmed Sr. Application Developer Enterprise Systems and Services, Rutgers University voice: 732 445-2763 | fax: 732 445-5493 |e-mail: [EMAIL PROTECTED] -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED]
Re: [uportal-dev] uPortal Security Notice: RemoteUserSecurityContext exploit
Folks, Faizan will be working up a SECURITY release for the 2.5 branch this week and Andrew is taking care of the 2.6 branch. Bill William G. Thompson, Jr. wrote: > This is a public notification of an identified uPortal security > vulnerability and workaround. All uPortal adopters are encouraged to > review the following notice immediately and take appropriate action as > necessary. > > --- > *Title:* > RemoteUserSecurityContext exploit > > *Summary:* > RemoteUserSecurityContext may allow an authenticated user to > authenticate as another user knowing only that user's account name. A > patch for this vulnerability is attached to this message. > > *Issue:* > The vulnerability is exposed when the RemoteUserSecurityContextFactory > is used in conjunction with another security context factory under the > UnionSecurityContextFactory. The result of this configuration is any > user that can access uPortal with REMOTE_USER set can become any other > portal user. > > If authentication is attempted with the other security context the > provided user id will be set on the principal, when the > RemoteUserSecurityContext executes it attempts to set the user id of the > principal to the REMOTE_USER and returns that the principal is > authenticated. Since the principal already has a user id set the setting > by RemoteUserSecurityContext fails silently, resulting in an > authenticated principal with the user id provided by the attacker, not > the value specified in the REMOTE_USER field. > > An example vulnerable configuration from security.properties: > root=org.jasig.portal.security.provider.UnionSecurityContextFactory > root.a=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory > root.b=org.jasig.portal.security.provider.SimpleSecurityContextFactory > > *Versions Affected:* > All (2.0, 2.1, 2.2, 2.3, 2.4, 2.5) > > *Resolution:* > The resolution involves adding a check to RemoteUserSecurityContext to > verify the setting of the REMOTE_USER user id was successful for the > principal. If it was not the RemoteUserSecurityContext will not mark the > principal as authenticated. > > *Patching:* > The attached patch should be applied to the file > /uPortal/source/org/jasig/portal/security/provider/RemoteUserSecurityContext.java > > After application of the patch compile and deploy the file to the > application server. > --- > > -- > Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in > Denver, CO USA. > > Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay > Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity > Management, and Open Source > > For more information & registration visit: > http://www.ja-sig.org/conferences/07summer/index.html > --- > You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL > PROTECTED] > To unsubscribe send a blank email to [EMAIL PROTECTED] -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED]