grouper-users - [grouper-users] Security issue: RE: Concern with vt-ldap that is packaged with Grouper
Subject: Grouper Users - Open Discussion List
List archive
[grouper-users] Security issue: RE: Concern with vt-ldap that is packaged with Grouper
Chronological Thread
- From: "Hyzer, Chris" <>
- To: "Hyzer, Chris" <>, "Black, Carey M." <>, " Mailing List" <>
- Subject: [grouper-users] Security issue: RE: Concern with vt-ldap that is packaged with Grouper
- Date: Wed, 19 Apr 2017 05:46:10 +0000
- Accept-language: en-US
- Authentication-results: isc.upenn.edu; dkim=none (message not signed) header.d=none;isc.upenn.edu; dmarc=none action=none header.from=isc.upenn.edu;
- Ironport-phdr: 9a23:UuxlSBb4KMqf7nQ5mq8TE2//LSx+4OfEezUN459isYplN5qZps2/Zx7h7PlgxGXEQZ/co6odzbGH7ea6CCdZuc3JmUtBWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYdFRrlKAV6OPn+FJLMgMSrzeCy/IDYbxlViDanb75/KBS7oR/PusQSjoduN7o9xxXUqXZUZupawn9lK0iOlBjm/Mew+5Bj8yVUu/0/8sNLTLv3caclQ7FGFToqK2866tHluhnFVguP+2ATUn4KnRpSAgjK9w/1U5HsuSbnrOV92S2aPcrrTbAoXDmp8qlmRAP0hCoBKjU063/chNBug61HoRKhvx1/zJDSYIGJL/p1Y6fRccoHSWZdQspdUipMCZ6+YYQSFeoMJeZWoZfgqVsSoxWwBgesC+HuyjBUiXD7xrc13/g9HQzcwAAsA8wCvXLJp9v1LqcSVuW1wbHGwTvBb/JX2Cny6JLQfhs8v/yMXahwccvKyUUhCgjIiVCQppDlPzKV1+UCrXKb4vFhVeK0l2ErsRxxoiCxyccqjInFnJwaxU3Z9Shgxos+ONO2SEl+YdG+EZtQsTmXN5FoTcw/Q2Fnojo6xqcatp68eSgG0I8nxx7ea/OcaIeI5RbjW/iNITd4nn5lfqywhwqq/UihzO38Ste70ExMriVbjtnAqGoB2ALO5ciaUvd9+lqu1iyX1wDP6+FEP147mbDcK547zb49kIcYv0fbHiLuhkn5lrOaelgh9+S19ujrf7DrppGTOoNolg3zN6YjldKwDOgmNwUDWnaX9fii2LH74EH0TqlGgucyn6XEqpzWO9kXq6qjDwNI0Isu6hCyBCq83tsCh3kINldFdQqHj4f3P1HOJ+j1A++jjlqrjDtn2unKM6DjDZnTN3TDl6zucqhn505b1Qoz0ctQ55VJCrEHPf3/QFfxtMbfDh8lLQO73/rnCNR61oMYQ26PBbKZML/WsV+P4eIvIPOAa5MSuDb4M/Ql5vjugmElmVIFY6Wmx4cbZG29E/h7PkmVfH/hgtkOHGsWogYzSe7nh0ONXDJNYnu/Wrww6i0lBI6+CIfMXIGtgLiP3CehGZ1WY3hLClWQHnfod4SFWukDaDiJL89giTwLSaKtS5I51R6wsg/6zaBrIfTJ9S0FrZ7jzsR65/XPlREu8jx5F8ud03uKT2FphmMHWSU20LlioUxm1FiDy7N4judcFdxS/PNJThw6OYDGw+x7DdDyRhzOfs2PSFm4XtWqHys9QcwszN8TMA5BHIDorgHR0jDuS5QVjb2QTtRg96nczmr8Pe580H2AybEsiV9gT8dSYynuzIR7/gPQQ8biml+Uhu6PM+5UiCTJ/WyAizPU52lfSxM2XKnYCzRXLETMqsnh61mHUqSjE68PMw1dxNSEJ7cQLNDlkB1jTfbnOdLRK0awgHv6TUKH3LSRdIfwPngG0T/GIEkCjw0J+3uab04zCjr38EzECzk7X3L+cU72taFVqGm6VQV8mwSBb1xz2qCd+wUew+GERvUVmL8IpXFy+H1PAF+h0oeOWJK7rA17cfAZOItl7Q==
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
|
This is fixed in 2.3.0 api patch #63. Especially since this is a security patch, you should apply it without delay. https://bugs.internet2.edu/jira/browse/GRP-1532 I tested an LDAP source, and the LDAP loader, and they work fine. If anyone has feedback let me know. Note if you cant patch for whatever reason you can just copy the new vt-ldap.jar in place. Thanks to Carey Black for pointing this out. Thanks Chris Note, vt-ldap 3.3.9 is in the patch… From: []
On Behalf Of Black, Carey M. I believe there is a security issue with a version of the vt-ldap client that is packaged with Grouper at this time. ( Ver. 3.3.5 ) REF: vt-ldap bug https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3607
“ David Jorm 2014-09-10
21:43:24 EDT It was discovered that the implementation used by the vtldap/ldaptive project to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where the attacker can spoof a valid certificate using a specially crafted subject.
“ Fixed In Version: vt-ldap 3.3.8, ldaptive 1.0.5 As well as this ref: https://shibboleth.net/community/advisories/secadv_20140919.txt
Please upgrade to at least the latest version of vt-ldap. It also may be advisable to, in the long term, to move to
http://www.ldaptive.org/ . It looks like vt-ldap may have been informally deprecated somewhere around 2013. -- Carey Matthew Office of the Chief Information Officer (OCIO) Identity and Access Management – Security Engineer-Lead 614-292-6079 Office |
- [grouper-users] Security issue: RE: Concern with vt-ldap that is packaged with Grouper, Hyzer, Chris, 04/19/2017
- [grouper-users] RE: Security issue: RE: Concern with vt-ldap that is packaged with Grouper, Black, Carey M., 04/19/2017
Archive powered by MHonArc 2.6.19.