grouper-announce - [grouper-announce] Grouper zero-day severe and important security vulnerability
Subject: Grouper Announcements and News
List archive
[grouper-announce] Grouper zero-day severe and important security vulnerability
Chronological Thread
- From: Chris Hyzer <>
- To: "" <>
- Subject: [grouper-announce] Grouper zero-day severe and important security vulnerability
- Date: Wed, 11 Oct 2023 14:37:33 +0000 (UTC)
Grouper security advisory
There is a zero-day severe and important security issue with Grouper. If you are deployed in a certain configuration, then you are affected. There are configuration changes you can make to protect yourself from the vulnerability. These changes do not require an upgrade, patch, or downtime. It is critical that you take these steps now.
Since the vulnerability is not documented and there is a mitigation plan, we are giving institutions some time to update their environment. On or after Wednesday October 18, 2023, updates to the Grouper container releases for recent and current versions will be published, a CVE will be filed, and details of the issue will be provided. However, if you are affected then you are at serious risk now and should react as if the details are known by addressing this immediately.
Might you be affected?
You might be affected if you run Grouper with either of these configurations in the grouper.hibernate.properties file:
grouper.is.ws.basicAuthn = true
grouper.is.ui.basicAuthn = true
Or if you have either of these container environment variables set:
GROUPER_WS_GROUPER_AUTH=true
GROUPER_UI_GROUPER_AUTH=true
Thank you.
Chris Hyzer on behalf of the Grouper project
- [grouper-announce] Grouper zero-day severe and important security vulnerability, Chris Hyzer, 10/11/2023
- Re: [grouper-announce] Grouper zero-day severe and important security vulnerability, Chris Hyzer, 10/16/2023
Archive powered by MHonArc 2.6.24.