Author: ilgrosso Date: Mon Jul 7 11:07:45 2014 New Revision: 1608407 URL: http://svn.apache.org/r1608407 Log: Adding report for CVE-2014-3503
Modified: syncope/branches/1_1_X/src/site/xdoc/security.xml Modified: syncope/branches/1_1_X/src/site/xdoc/security.xml URL: http://svn.apache.org/viewvc/syncope/branches/1_1_X/src/site/xdoc/security.xml?rev=1608407&r1=1608406&r2=1608407&view=diff ============================================================================== --- syncope/branches/1_1_X/src/site/xdoc/security.xml (original) +++ syncope/branches/1_1_X/src/site/xdoc/security.xml Mon Jul 7 11:07:45 2014 @@ -34,27 +34,59 @@ under the License. <p>If you want to report a vulnerability, please follow <a href="http://www.apache.org/security/">the procedure</a>.</p> - <subsection name="CVE-2014-0111: Remote code execution by an authenticated administrator"> - <p>In the various places in which Apache Commons JEXL expressions are allowed (derived schema definition, user / role templates, account links of resource mappings) a malicious administrator can inject Java code that can be executed remotely by the JEE container running the Apache Syncope core.</p> + <subsection name="CVE-2014-3503: Insecure Random implementations used to generate passwords"> + <p>A password is generated for a user in Apache Syncope under certain circumstances, when no existing password + is found. However, the password generation code is relying on insecure Random implementations, which means + that an attacker could attempt to guess a generated password.</p> + + <p> + <b>Affects</b> + </p> + <p> + <ul> + <li>Releases 1.1.0 to 1.1.7</li> + </ul> + </p> + + <p> + <b>Fixed in</b> + </p> + <p> + <ul> + <li>Revision <a href="http://svn.apache.org/viewvc?view=revision&revision=r1596537">1596537</a></li> + <li>Release 1.1.8</li> + </ul> + </p> + <p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3503">full CVE advisory</a>.</p> + </subsection> - <p><b>Affects</b></p> - <p> - <ul> - <li>Releases 1.0.0 to 1.0.8</li> - <li>Releases 1.1.0 to 1.1.6</li> - </ul> - </p> - - <p><b>Fixed in</b></p> - <p> - <ul> - <li>Revisions <a href="http://svn.apache.org/viewvc?view=revision&revision=r1586349">1586349</a> / <a href="http://svn.apache.org/viewvc?view=revision&revision=r1586317">1586317</a></li> - <li>Releases 1.0.9 / 1.1.7</li> - </ul> - </p> + <subsection name="CVE-2014-0111: Remote code execution by an authenticated administrator"> + <p>In the various places in which Apache Commons JEXL expressions are allowed (derived schema definition, + user / role templates, account links of resource mappings) a malicious administrator can inject Java code + that can be executed remotely by the JEE container running the Apache Syncope core.</p> + + <p> + <b>Affects</b> + </p> + <p> + <ul> + <li>Releases 1.0.0 to 1.0.8</li> + <li>Releases 1.1.0 to 1.1.6</li> + </ul> + </p> + + <p> + <b>Fixed in</b> + </p> + <p> + <ul> + <li>Revisions <a href="http://svn.apache.org/viewvc?view=revision&revision=r1586349">1586349</a> / <a href="http://svn.apache.org/viewvc?view=revision&revision=r1586317">1586317</a></li> + <li>Releases 1.0.9 / 1.1.7</li> + </ul> + </p> - <p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0111">full CVE advisory</a>.</p> + <p>Read the <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0111">full CVE advisory</a>.</p> </subsection> </section>