Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] jvm/tomcat security issue

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] jvm/tomcat security issue

Chronological Thread 
  • From: Chris Hyzer <>
  • To: Andrew Petro <>, "" <>
  • Subject: RE: [grouper-users] jvm/tomcat security issue
  • Date: Thu, 24 Feb 2011 15:57:08 -0500
  • Accept-language: en-US
  • Acceptlanguage: en-US

Ok, Shilen was able to bring down the Grouper UI with this vulnerability.

I will say that at Penn we protect our entire UI (even the splash page) with
SSO at the web server level, so I think there is less of a chance someone
will do this. However, once external subjects can register, then anyone with
a protect network account (which is anyone), would be able to do it. As for
WS, Im not sure when we call getLocale, but its possible that there is a
problem there too...


-----Original Message-----

On Behalf Of Andrew Petro
Sent: Thursday, February 24, 2011 3:05 PM

Subject: Re: [grouper-users] jvm/tomcat security issue

> has anyone been able to reproduce this against a Java webapp?

Yes. I'll share on-list that I've personally demonstrated this
vulnerability working against Jasig CAS, which in part led to this

As far as I could tell, only paths that cause the web application to
attempt to getLocale() trigger Tomcat parsing enough of the afflicted
header to actuate the vulnerability. Some web applications don't
exercise this code path and so may not be vulnerable. CAS is vulnerable
because it uses a framework that exercises that code path on its behalf
in setting up handling the request. However, any reasonable framework
will likely exercise the affected code path in its efforts to set up
proper localization.

I haven't tried it against any Grouper.

Ping me off-list and I'll be happy to share more details, the automated
script that demonstrated the vulnerability...


On 02/24/2011 02:44 PM, Chris Hyzer wrote:
> Just curious, has anyone been able to reproduce this against a Java webapp?
> I can reproduce in a command line java program. In a webapp, I am trying
> with Firefox and the tamper data plugin, and I cant get anything to lock
> up. Im sure if I changed the server side code I could get it to work, but
> if anyone can make Grouper (UI or WS) freeze up, I would be interested.
> Feel free to contact me off list if people don't want to discuss this
> publicly.
> Thanks,
> Chris
> -----Original Message-----
> From:
> [mailto:]
> On Behalf Of Tom Barton
> Sent: Monday, February 21, 2011 9:44 AM
> To:
> Subject: [grouper-users] jvm/tomcat security issue
> Many grouper installations rely on tomcat, and many tomcat installations
> rely on Oracle's JVM (formerly Sun's java). Many versions of the JVM
> have a "complete DoS" vulnerability, meaning a remote attacker can keep
> it down all the time.
> Just thought you'd want to know, if you haven't heard already by some
> other means. Best to patch or upgrade.
> Tom

Archive powered by MHonArc 2.6.16.

Top of Page