grouper-users - Re: [grouper-users] jvm/tomcat security issue
Subject: Grouper Users - Open Discussion List
List archive
- From: Andrew Petro <>
- To:
- Subject: Re: [grouper-users] jvm/tomcat security issue
- Date: Thu, 24 Feb 2011 15:04:31 -0500
> has anyone been able to reproduce this against a Java webapp?
Yes. I'll share on-list that I've personally demonstrated this vulnerability working against Jasig CAS, which in part led to this announcement:
http://www.jasig.org/cas/news/cve-2010-4476
As far as I could tell, only paths that cause the web application to attempt to getLocale() trigger Tomcat parsing enough of the afflicted header to actuate the vulnerability. Some web applications don't exercise this code path and so may not be vulnerable. CAS is vulnerable because it uses a framework that exercises that code path on its behalf in setting up handling the request. However, any reasonable framework will likely exercise the affected code path in its efforts to set up proper localization.
I haven't tried it against any Grouper.
Ping me off-list and I'll be happy to share more details, the automated script that demonstrated the vulnerability...
Andrew
On 02/24/2011 02:44 PM, Chris Hyzer wrote:
Just curious, has anyone been able to reproduce this against a Java webapp?
I can reproduce in a command line java program. In a webapp, I am trying
with Firefox and the tamper data plugin, and I cant get anything to lock up.
Im sure if I changed the server side code I could get it to work, but if
anyone can make Grouper (UI or WS) freeze up, I would be interested. Feel
free to contact me off list if people don't want to discuss this publicly.
Thanks,
Chris
-----Original Message-----
From:
[mailto:]
On Behalf Of Tom Barton
Sent: Monday, February 21, 2011 9:44 AM
To:
Subject: [grouper-users] jvm/tomcat security issue
Many grouper installations rely on tomcat, and many tomcat installations
rely on Oracle's JVM (formerly Sun's java). Many versions of the JVM
have a "complete DoS" vulnerability, meaning a remote attacker can keep
it down all the time.
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
Just thought you'd want to know, if you haven't heard already by some
other means. Best to patch or upgrade.
Tom
- [grouper-users] jvm/tomcat security issue, Tom Barton, 02/21/2011
- RE: [grouper-users] jvm/tomcat security issue, Chris Hyzer, 02/24/2011
- Re: [grouper-users] jvm/tomcat security issue, Andrew Petro, 02/24/2011
- RE: [grouper-users] jvm/tomcat security issue, Chris Hyzer, 02/24/2011
- Re: [grouper-users] jvm/tomcat security issue, Andrew Petro, 02/24/2011
- RE: [grouper-users] jvm/tomcat security issue, Chris Hyzer, 02/24/2011
Archive powered by MHonArc 2.6.16.