Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Security issue: RE: Concern with vt-ldap that is packaged with Grouper

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Security issue: RE: Concern with vt-ldap that is packaged with Grouper


Chronological Thread 
  • From: "Black, Carey M." <>
  • To: "Hyzer, Chris" <>, " Mailing List" <>
  • Subject: [grouper-users] RE: Security issue: RE: Concern with vt-ldap that is packaged with Grouper
  • Date: Wed, 19 Apr 2017 15:04:16 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is 164.107.81.216) smtp.mailfrom=osu.edu; internet2.edu; dkim=none (message not signed) header.d=none;internet2.edu; dmarc=pass action=none header.from=osu.edu;
  • Ironport-phdr: 9a23:HstNOhTDpUSYDf1Aq72rWWqjINpsv+yvbD5Q0YIujvd0So/mwa67ZBKAt8tkgFKBZ4jH8fUM07OQ6PG+HzdYqsbd+Fk5M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6KfroEYDOkcu3y/qy+5rOaAlUmTaxe71/IRG3oAnLuMQanYRuJ6U+xxDUvnZGZuNayH9yK1mOhRj8/MCw/JBi8yRUpf0s8tNLXLv5caolU7FWFSwqPG8p6sLlsxnDVhaP6WAHUmoKiBpIAhPK4w/8U5zsryb1rOt92C2dPc3rUbA5XCmp4ql3RBP0jioMKjg0+3zVhMNtlqJWuBKvqQJizY7Ibo+bN/R+caHcfdwGSmVMRdxeWzBFD46mc4cDE/QNMOBFpIf9vVsOqh6+CBGiCO7yzj9HnGP53a4i3+88DwzJxhYgEMwOsX/Jq9v5LqkeWv2ywabTyTXMde9Z2TTn5ITVbBwsr+qBXbVrccrM00UgCR7KjkiJpIHjIjib2OMNs22B4OphU+Kik3QnpB9srTiv3MgslpPFiZ4SylDB7Sl524Y1JdyjR0FgZt6kFIVftz2aN4dsRMMtXX1otD47yr0ApZ60YjIKyJI5yB7DdfCLaZaH7Q/+VOqJJTd3mWhqeKqjhxaz70iv1PfwVs6u0FZFqCdOj9rCtmgV2hDO9sSKReFx80ij1DqV2Q3f9PtILV0pmabHM5IswLE9moAOvUnMAiP6gkv7gLGMekgg5OSk8+rnbavlq5OAMoJ5jwHzPbgylcyxBOk0LAcDUmmG9um527Du/U/0TbtPg/IqiabWq4rVKMIGraCjGQBVyJws6xOnAjemztsYmX4HIUpddh+biIblJ0zCLOnlA/mnnligiTBryOvYMbH7BZXNM2TDn6zmfbZg7U5T1RA/zchF55JTFrEOPu78WlPwtNzfCB81KQu0w/v7CNV50YMeXmGPDrWFP6PVtF+E/uMvI++Sa48JoDvxNuQp6vH0gXI2m1IRZ6ek0YUNZHylA/hqP12VYX/2jdcAFWcKsBA+TOvviFCaSjFTY2y9UL4/5j0hFY6qE4nOS5uqgLyawSe3BINZaX1bClyUC3fna52EW+sQaCKVOsJhnSYEVb+8S485yx6urhb2y6d8LuXK4C0Yronu1Nx05+3IiREy7iJ4A96c02GLU2F7gHkIRzko06Bjv0Bx0EmM3rVlg68QKdsGrdNYQAogcdb3z/Z7EJq6DgfKfsabRUyOQ86tRywpQ9Q3hdICfhA5U5+tlBfexyewRqIOmqaQLJ0y7q/G2XXtfYBwx2uO8aAgi1ggTYNrNHa6zOYr+BLUGpbEiQCEjKuwbowd2jLA7mGO0TDIsU1FBl1eS6LACDo1YkLdrpCxzUrYQq7mLPJtel9LzceJKe0TMIbBik5bAvrvJYKNMCqKh26sCEPQlfu3Z43wdjBF0Q==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Chris,

 

Actually…

                The credit should go to Scott Cantor and the Shibboleth project. Apparently they originally found this issue in vt-ldap “back in the day” and worked with VT to get it fixed.

 

I only knew of it because Scott said: “They are using vt-ldap? Really? What version? …. Oh, I think that version has a known issue with it.”

I was just the messenger.

 

 

And _Thank You_ for the very quick turn around on this. J

 

--

Carey Matthew

 

From: Hyzer, Chris [mailto:]
Sent: Wednesday, April 19, 2017 1:46 AM
To: Hyzer, Chris <>; Black, Carey M. <>; Mailing List <>
Subject: Security issue: RE: Concern with vt-ldap that is packaged with Grouper

 

This is fixed in 2.3.0 api patch #63. Especially since this is a security patch, you should apply it without delay.

 

https://bugs.internet2.edu/jira/browse/GRP-1532

 

I tested an LDAP source, and the LDAP loader, and they work fine.  If anyone has feedback let me know.  Note if you cant patch for whatever reason you can just copy the new vt-ldap.jar in place.

 

Thanks to Carey Black for pointing this out.

 

Thanks

Chris

 

Note, vt-ldap 3.3.9 is in the patch…

 

From: [] On Behalf Of Black, Carey M.
Sent: Tuesday, April 18, 2017 5:28 PM
To:
Subject: [grouper-core] Concern with vt-ldap that is packaged with Grouper

 

I believe there is a security issue with a version of the vt-ldap client that is packaged with Grouper at this time. ( Ver. 3.3.5 )

 

REF: vt-ldap bug

 

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3607

David Jorm 2014-09-10 21:43:24 EDT

It was discovered that the implementation used by the vtldap/ldaptive project to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where the attacker can spoof a valid certificate using a specially crafted subject.

“            

 

 

Fixed In Version:              vt-ldap 3.3.8, ldaptive 1.0.5

 

As well as this ref:  https://shibboleth.net/community/advisories/secadv_20140919.txt

 

 

Please upgrade to at least the latest version of vt-ldap.

                It also may be advisable to, in the long term, to move to http://www.ldaptive.org/ . It looks like vt-ldap may have been informally deprecated somewhere around 2013.

 

--

Carey Matthew


Archive powered by MHonArc 2.6.19.

Top of Page