Grouper Developers Forum

[Chris Hyzer <>]

Grouper community,

 

Sorry to report there is a critical Grouper security vulnerability that requires your immediate attention if you are running Grouper.

 

https://bugs.internet2.edu/jira/browse/GRP-1227

 

This can be exploited locally or remotely. Details of the exploit will remain confidential, but this is very important and urgent to address. Contents of the sources.xml can be retrieved including the params for a source which can contain connect configuration, URL's, usernames, and passwords for the source.  We aim to follow security best practices to be open and transparent, but in this case, the details of how to perform this exploit are not public, the patch does not give hints about the exploit, and publishing the details will put institutions at serious risk.  However, you should treat this at critical and address the issue as soon as you can.  If you want to discuss this strategy of handling this issue please contact Chris Hyzer directly.

 

Grouper versions 1.4+ (API, UI, WS, loader) are affected by this especially if you have passwords in your sources.xml (if you use the GrouperJdbcConnectionProvider or have your password in ldap.properties, or encrypted externalized passwords, this is less urgent for you).

 

WORKAROUND:

A workaround to quickly address the most sensitive part of this vulnerability is to externalize the passwords from the sources.xml.

 

https://bugs.internet2.edu/jira/browse/GRP-122     (this jira shows how to do this)

 

0. Change database/ldap passwords referenced in the sources.xml file

 

1. open classpath (e.g. conf/morphString.properties or WEB-INF/classes/morphString.properties)

 

2. if there is something configured for encrypt.key, leave it, if not, then put a long random string or a filename (containing a long random string)

encrypt.key =

 

3. encrypt your sources.xml passwords (all of them, if any apply)

windows (e.g. from WEB-INF dir):

java -jar lib\morphString.jar

Enter the location of morphString.properties: conf/morphString.properties

Type the string to encrypt (note: pasting might echo it back):

unix (e.g. from WEB-INF dir):

java -jar lib/morphString.jar

Enter the location of morphString.properties: conf/morphString.properties

Type the string to encrypt (note: pasting might echo it back):

 

4. take the encrypted string output the previous command, and save it into a text file, for example in unix in a/b/c.pass (in windows in a\b\c.pass)

 

5. replace the passwords in the sources.xml file with the file names of the encrypted passes

windows:

<param-value>a\\b\\c.pass</param-value>

 

unix:

<param-value>a/b/c.pass</param-value>

6.bounce the service

 

FIX:

First of all you need to change your passwords that are in the sources.xml.

Patches will be provided for various versions of Grouper. v2.2.2 has a patch (grouper_v2_2_2_api_patch_2). If you are on another version of grouper and the WORKAROUND above is not sufficient, and you cannot quickly upgrade to v2.2.2, please add a comment to this Jira with the version of Grouper you are running and the version of Java and Chris will make a patch for you. Note, if you have implemented your own subject source (not common), you need to adjust this method in your implementation.

 

VERIFY:

You can verify that you have a problem by doing this:

gsh 0% grouperSession = GrouperSession.startRootSession();

edu.internet2.middleware.grouper.GrouperSession: 80ee0f5a5cb64ec6acb1f6a2a738d455,'GrouperSystem','application'

gsh 1% subject = SubjectFinder.findByIdAndSource("GrouperSystem", "g:isa", true);

subject: id='GrouperSystem' type='application' source='g:isa' name='GrouperSysAdmin'

gsh 2% subject.getSource().getInitParams();

java.util.Properties: {} <<<<--------------------------

If it prints out Properties like it does above, then you are vulnerable.

 

If you get the following output, then you have successfully fixed the vulnerability. Note, you need to fix this in all envs (UI, WS, loader, etc).

gsh 0% grouperSession = GrouperSession.startRootSession();

edu.internet2.middleware.grouper.GrouperSession: 79ed6a2559af4e6299abc484668b85ec,'GrouperSystem','application'

gsh 1% subject = SubjectFinder.findByIdAndSource("GrouperSystem", "g:isa", true);

subject: id='GrouperSystem' type='application' source='g:isa' name='GrouperSysAdmin'

gsh 2% subject.getSource().getInitParams();

// Error: unable to evaluate command: Sourced file: inline evaluation of: ``subject.getSource().getInitParams();'' : Error in method invocation: Method getInitParams() not found in class'edu.internet2.middleware.grouper.subj.InternalSourceAdapter'

 

The demo server is patched.

 

I would appreciate if any discussion of this issue would happen directly with me or on the list (which is private) and not other lists.  I will notify the broader community if necessary.

 

Regards,

Chris

 

 

PS:

(note for developers)To fix this vulnerability, the patch must change the edu.internet2.middleware.subject.Source method: getInitParams() to be refactored to initParams()

Note, these following files need to be changed:

(Grouper)

edu.internet2.middleware.grouper.GrouperSourceAdapter.java

edu.internet2.middleware.subject.provider.JDBCSourceAdapter2.java (2.1-)

(Subject)

edu.internet2.middleware.subject.LazySource.java

edu.internet2.middleware.subject.Source.java

edu.internet2.middleware.subject.provider.BaseSourceAdapter.java

edu.internet2.middleware.subject.provider.JDBCSourceAdapter.java

edu.internet2.middleware.subject.provider.JDBCSourceAdapter2.java (2.2+)

edu.internet2.middleware.subject.provider.JNDISourceAdapter.java (2.1-)

edu.internet2.middleware.subject.provider.JNDISourceAdapterLegacy.java (2.2+)

edu.internet2.middleware.subject.provider.LdapSourceAdapter.java

edu.internet2.middleware.subject.provider.SourceManager.java

edu.internet2.middleware.subject.provider.SubjectImpl.java

 

PPS: note, this has been fixed in github on the following branches: 1.6, 2.0, 2.1, 2.2, 2.3