Grouper Users - Open Discussion List

[Chris Hyzer <>]

Ok, Shilen was able to bring down the Grouper UI with this vulnerability.

I will say that at Penn we protect our entire UI (even the splash page) with 
SSO at the web server level, so I think there is less of a chance someone 
will do this.  However, once external subjects can register, then anyone with 
a protect network account (which is anyone), would be able to do it.  As for 
WS, Im not sure when we call getLocale, but its possible that there is a 
problem there too...

Thanks,
Chris

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Andrew Petro
Sent: Thursday, February 24, 2011 3:05 PM
To: 

Subject: Re: [grouper-users] jvm/tomcat security issue

 > has anyone been able to reproduce this against a Java webapp?

Yes.  I'll share on-list that I've personally demonstrated this 
vulnerability working against Jasig CAS, which in part led to this 
announcement:

http://www.jasig.org/cas/news/cve-2010-4476

As far as I could tell, only paths that cause the web application to 
attempt to getLocale() trigger Tomcat parsing enough of the afflicted 
header to actuate the vulnerability. Some web applications don't 
exercise this code path and so may not be vulnerable. CAS is vulnerable 
because it uses a framework that exercises that code path on its behalf 
in setting up handling the request.  However, any reasonable framework 
will likely exercise the affected code path in its efforts to set up 
proper localization.

I haven't tried it against any Grouper.

Ping me off-list and I'll be happy to share more details, the automated 
script that demonstrated the vulnerability...

Andrew



On 02/24/2011 02:44 PM, Chris Hyzer wrote:
> Just curious, has anyone been able to reproduce this against a Java webapp? 
>  I can reproduce in a command line java program.  In a webapp, I am trying 
> with Firefox and the tamper data plugin, and I cant get anything to lock 
> up.  Im sure if I changed the server side code I could get it to work, but 
> if anyone can make Grouper (UI or WS) freeze up, I would be interested.  
> Feel free to contact me off list if people don't want to discuss this 
> publicly.
>
> Thanks,
> Chris
>
> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of Tom Barton
> Sent: Monday, February 21, 2011 9:44 AM
> To: 
> 
> Subject: [grouper-users] jvm/tomcat security issue
>
> Many grouper installations rely on tomcat, and many tomcat installations
> rely on Oracle's JVM (formerly Sun's java). Many versions of the JVM
> have a "complete DoS" vulnerability, meaning a remote attacker can keep
> it down all the time.
>
> http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
>
> Just thought you'd want to know, if you haven't heard already by some
> other means. Best to patch or upgrade.
>
> Tom