Skip to Content.
Sympa Menu

grouper-announce - [grouper-announce] Grouper zero-day severe and important security vulnerability

Subject: Grouper Announcements and News

List archive

[grouper-announce] Grouper zero-day severe and important security vulnerability


Chronological Thread 
  • From: Chris Hyzer <>
  • To: "" <>
  • Subject: [grouper-announce] Grouper zero-day severe and important security vulnerability
  • Date: Wed, 11 Oct 2023 14:37:33 +0000 (UTC)

Inline image Grouper security advisory

There is a zero-day severe and important security issue with Grouper.  If you are deployed in a certain configuration, then you are affected.  There are configuration changes you can make to protect yourself from the vulnerability.  These changes do not require an upgrade, patch, or downtime.  It is critical that you take these steps now.

 

Since the vulnerability is not documented and there is a mitigation plan, we are giving institutions some time to update their environment.  On or after Wednesday October 18, 2023, updates to the Grouper container releases for recent and current versions will be published, a CVE will be filed, and details of the issue will be provided.  However, if you are affected then you are at serious risk now and should react as if the details are known by addressing this immediately.

 

Might you be affected?

 

You might be affected if you run Grouper with either of these configurations in the grouper.hibernate.properties file:

 

grouper.is.ws.basicAuthn = true

grouper.is.ui.basicAuthn = true

 

Or if you have either of these container environment variables set:

 

GROUPER_WS_GROUPER_AUTH=true

GROUPER_UI_GROUPER_AUTH=true


Contact

If you might be affected, then send a direct slack message to Chris Hyzer, the project lead (request to join InCommon slack).  If you are not in InCommon slack then email .  The next steps will be provided.

 

Thank you.

Chris Hyzer on behalf of the Grouper project






Archive powered by MHonArc 2.6.24.

Top of Page