Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] critical Grouper security vulnerability

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] critical Grouper security vulnerability


Chronological Thread 
  • From: Baron Fujimoto <>
  • To: Grouper Users <>
  • Subject: Re: [grouper-users] critical Grouper security vulnerability
  • Date: Tue, 1 Dec 2015 14:08:09 -1000

Is there Grouper documentation that generally covers the externalization
of passwords and the use of morphString? I was eventually able to deploy
the mitigation suggestions provided below after some trial and error[*].
When I tried searching the Grouper wiki I didn't really come up with
anything directly applicable (just indirect references).

[*] For unix, we eventually determined that full/absolute path names are
required(?). I guess the configs key on the "/" directory delimiter to
distinguish between a literal string value and a lookup in an external
file. In restrospect, I guess this makes sense, and is even hinted at in
the directions below; but more explicit commentary to that effect would
have saved us time and confusion.

Aloha,
-baron

On Mon, Nov 30, 2015 at 03:36:01AM +0000, Chris Hyzer wrote:
>Grouper community,
>
>Sorry to report there is a critical Grouper security vulnerability that
>requires your immediate attention if you are running Grouper.
>
>https://bugs.internet2.edu/jira/browse/GRP-1227
>
>This can be exploited locally or remotely. Details of the exploit will
>remain confidential, but this is very important and urgent to address.
>Contents of the sources.xml can be retrieved including the params for a
>source which can contain connect configuration, URL's, usernames, and
>passwords for the source. We aim to follow security best practices to be
>open and transparent, but in this case, the details of how to perform this
>exploit are not public, the patch does not give hints about the exploit, and
>publishing the details will put institutions at serious risk. However, you
>should treat this at critical and address the issue as soon as you can. If
>you want to discuss this strategy of handling this issue please contact
>Chris Hyzer directly.
>
>Grouper versions 1.4+ (API, UI, WS, loader) are affected by this especially
>if you have passwords in your sources.xml (if you use the
>GrouperJdbcConnectionProvider or have your password in ldap.properties, or
>encrypted externalized passwords, this is less urgent for you).
>
>WORKAROUND:
>A workaround to quickly address the most sensitive part of this
>vulnerability is to externalize the passwords from the sources.xml.
>
>https://bugs.internet2.edu/jira/browse/GRP-122 (this jira shows how to
>do this)
>
>0. Change database/ldap passwords referenced in the sources.xml file
>
>1. open classpath (e.g. conf/morphString.properties or
>WEB-INF/classes/morphString.properties)
>
>2. if there is something configured for encrypt.key, leave it, if not, then
>put a long random string or a filename (containing a long random string)
>encrypt.key =
>
>3. encrypt your sources.xml passwords (all of them, if any apply)
>windows (e.g. from WEB-INF dir):
>java -jar lib\morphString.jar
>Enter the location of morphString.properties: conf/morphString.properties
>Type the string to encrypt (note: pasting might echo it back):
>unix (e.g. from WEB-INF dir):
>java -jar lib/morphString.jar
>Enter the location of morphString.properties: conf/morphString.properties
>Type the string to encrypt (note: pasting might echo it back):
>
>4. take the encrypted string output the previous command, and save it into a
>text file, for example in unix in a/b/c.pass (in windows in a\b\c.pass)
>
>5. replace the passwords in the sources.xml file with the file names of the
>encrypted passes
>windows:
><param-value>a\\b\\c.pass</param-value>
>
>unix:
><param-value>a/b/c.pass</param-value>
>6.bounce the service
>
>FIX:
>First of all you need to change your passwords that are in the sources.xml.
>Patches will be provided for various versions of Grouper. v2.2.2 has a patch
>(grouper_v2_2_2_api_patch_2). If you are on another version of grouper and
>the WORKAROUND above is not sufficient, and you cannot quickly upgrade to
>v2.2.2, please add a comment to this Jira with the version of Grouper you
>are running and the version of Java and Chris will make a patch for you.
>Note, if you have implemented your own subject source (not common), you need
>to adjust this method in your implementation.
>
>VERIFY:
>You can verify that you have a problem by doing this:
>gsh 0% grouperSession = GrouperSession.startRootSession();
>edu.internet2.middleware.grouper.GrouperSession:
>80ee0f5a5cb64ec6acb1f6a2a738d455,'GrouperSystem','application'
>gsh 1% subject = SubjectFinder.findByIdAndSource("GrouperSystem", "g:isa",
>true);
>subject: id='GrouperSystem' type='application' source='g:isa'
>name='GrouperSysAdmin'
>gsh 2% subject.getSource().getInitParams();
>java.util.Properties: {} <<<<--------------------------
>If it prints out Properties like it does above, then you are vulnerable.
>
>If you get the following output, then you have successfully fixed the
>vulnerability. Note, you need to fix this in all envs (UI, WS, loader, etc).
>gsh 0% grouperSession = GrouperSession.startRootSession();
>edu.internet2.middleware.grouper.GrouperSession:
>79ed6a2559af4e6299abc484668b85ec,'GrouperSystem','application'
>gsh 1% subject = SubjectFinder.findByIdAndSource("GrouperSystem", "g:isa",
>true);
>subject: id='GrouperSystem' type='application' source='g:isa'
>name='GrouperSysAdmin'
>gsh 2% subject.getSource().getInitParams();
>// Error: unable to evaluate command: Sourced file: inline evaluation of:
>``subject.getSource().getInitParams();'' : Error in method invocation:
>Method getInitParams() not found in
>class'edu.internet2.middleware.grouper.subj.InternalSourceAdapter'
>
>The demo server is patched.
>
>I would appreciate if any discussion of this issue would happen directly
>with me or on the
><mailto:>
> list (which is private) and not other lists. I will notify the broader
>community if necessary.
>
>Regards,
>Chris
>
>
>PS:
>(note for developers)To fix this vulnerability, the patch must change the
>edu.internet2.middleware.subject.Source method: getInitParams() to be
>refactored to initParams()
>Note, these following files need to be changed:
>(Grouper)
>edu.internet2.middleware.grouper.GrouperSourceAdapter.java
>edu.internet2.middleware.subject.provider.JDBCSourceAdapter2.java (2.1-)
>(Subject)
>edu.internet2.middleware.subject.LazySource.java
>edu.internet2.middleware.subject.Source.java
>edu.internet2.middleware.subject.provider.BaseSourceAdapter.java
>edu.internet2.middleware.subject.provider.JDBCSourceAdapter.java
>edu.internet2.middleware.subject.provider.JDBCSourceAdapter2.java (2.2+)
>edu.internet2.middleware.subject.provider.JNDISourceAdapter.java (2.1-)
>edu.internet2.middleware.subject.provider.JNDISourceAdapterLegacy.java (2.2+)
>edu.internet2.middleware.subject.provider.LdapSourceAdapter.java
>edu.internet2.middleware.subject.provider.SourceManager.java
>edu.internet2.middleware.subject.provider.SubjectImpl.java
>
>PPS: note, this has been fixed in github on the following branches: 1.6,
>2.0, 2.1, 2.2, 2.3

--
Baron Fujimoto
<>
:: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum



Archive powered by MHonArc 2.6.16.

Top of Page