Skip to Content.
Sympa Menu

grouper-announce - Re: [grouper-announce] Grouper zero-day severe and important security vulnerability

Subject: Grouper Announcements and News

List archive

Re: [grouper-announce] Grouper zero-day severe and important security vulnerability


Chronological Thread 
  • From: Chris Hyzer <>
  • To: "" <>
  • Subject: Re: [grouper-announce] Grouper zero-day severe and important security vulnerability
  • Date: Mon, 16 Oct 2023 17:13:57 +0000 (UTC)

Regarding this advisory below for the Grouper Security Vulnerability, no one has said they need more time to remediate before we file a CVE and the details will be universally known.  So the schedule is this week we will let people know who are affected how they can test their remediated envs, and then we can file the CVE.  If you need more time to determine if you are affected or to remediate please send me an email ASAP:  .  Thanks! 

On Wednesday, October 11, 2023 at 10:37:33 AM EDT, Chris Hyzer <> wrote:


Inline image Grouper security advisory

There is a zero-day severe and important security issue with Grouper.  If you are deployed in a certain configuration, then you are affected.  There are configuration changes you can make to protect yourself from the vulnerability.  These changes do not require an upgrade, patch, or downtime.  It is critical that you take these steps now.

 

Since the vulnerability is not documented and there is a mitigation plan, we are giving institutions some time to update their environment.  On or after Wednesday October 18, 2023, updates to the Grouper container releases for recent and current versions will be published, a CVE will be filed, and details of the issue will be provided.  However, if you are affected then you are at serious risk now and should react as if the details are known by addressing this immediately.

 

Might you be affected?

 

You might be affected if you run Grouper with either of these configurations in the grouper.hibernate.properties file:

 

grouper.is.ws.basicAuthn = true

grouper.is.ui.basicAuthn = true

 

Or if you have either of these container environment variables set:

 

GROUPER_WS_GROUPER_AUTH=true

GROUPER_UI_GROUPER_AUTH=true


Contact

If you might be affected, then send a direct slack message to Chris Hyzer, the project lead (request to join InCommon slack).  If you are not in InCommon slack then email .  The next steps will be provided.

 

Thank you.

Chris Hyzer on behalf of the Grouper project






Archive powered by MHonArc 2.6.24.

Top of Page