Details
-
Bug
-
Resolution: Unresolved
-
Minor
-
1.4.2, 1.5.3, 1.6.3, 2.0.3, 2.1.5, 2.2.2
-
None
Description
Critical security vulnerability in subject API. This can be exploited locally or remotely. Details of the exploit will remain confidential, but this is very important and urgent to address. Contents of the sources.xml can be retrieved including the params for a source which can contain connect URL's, usernames, and passwords for the source.
Grouper versions 1.4+ (API, UI, WS, loader) are affected by this if you have passwords in your sources.xml (if you use the GrouperJdbcConnectionProvider or have your password in ldap.properties, or encrypted externalized passwords, this is less urgent for you).
WORKAROUND:
A workaround to quickly address the most sensitive part of this vulnerability is to externalize the passwords from the sources.xml.
https://bugs.internet2.edu/jira/browse/GRP-122
0. Change database/ldap passwords referenced in the sources.xml file
1. open classpath (e.g. conf/morphString.properties or WEB-INF/classes/morphString.properties)
2. if there is something configured for encrypt.key, leave it, if not, then put a long random string or a filename (containing a long random string)
encrypt.key =
3. encrypt your sources.xml passwords (all of them, if any apply)
windows (e.g. from WEB-INF dir):
java -jar lib\morphString.jar
Enter the location of morphString.properties: conf/morphString.properties
Type the string to encrypt (note: pasting might echo it back):
unix (e.g. from WEB-INF dir):
java -jar lib/morphString.jar
Enter the location of morphString.properties: conf/morphString.properties
Type the string to encrypt (note: pasting might echo it back):
4. take the encrypted string output the previous command, and save it into a text file, for example in unix in a/b/c.pass (in windows in a\b\c.pass)
5. replace the passwords in the sources.xml file with the file names of the encrypted passes
windows:
<param-value>a\\b
c.pass</param-value>
unix:
<param-value>a/b/c.pass</param-value>
6.bounce the service
FIX:
First of all you need to change your passwords that are in the sources.xml.
Patches will be provided for various versions of Grouper. v2.2.2 has a patch (grouper_v2_2_2_api_patch_2). If you are on another version of grouper and the WORKAROUND above is not sufficient, and you cannot quickly upgrade to v2.2.2, please add a comment to this Jira with the version of Grouper you are running and the version of Java and Chris will make a patch for you. Note, if you have implemented your own subject source (not common), you need to adjust this method in your implementation.
To fix this vulnerability, the patch must change the edu.internet2.middleware.subject.Source method: getInitParams() to be refactored to initParams()
Note, these following files need to be changed:
(Grouper)
edu.internet2.middleware.grouper.GrouperSourceAdapter.java
edu.internet2.middleware.subject.provider.JDBCSourceAdapter2.java (2.1-)
(Subject)
edu.internet2.middleware.subject.LazySource.java
edu.internet2.middleware.subject.Source.java
edu.internet2.middleware.subject.provider.BaseSourceAdapter.java
edu.internet2.middleware.subject.provider.JDBCSourceAdapter.java
edu.internet2.middleware.subject.provider.JDBCSourceAdapter2.java (2.2+)
edu.internet2.middleware.subject.provider.JNDISourceAdapter.java (2.1-)
edu.internet2.middleware.subject.provider.JNDISourceAdapterLegacy.java (2.2+)
edu.internet2.middleware.subject.provider.LdapSourceAdapter.java
edu.internet2.middleware.subject.provider.SourceManager.java
edu.internet2.middleware.subject.provider.SubjectImpl.java