Grouper Users - Open Discussion List

["Hyzer, Chris" <>]

There is an XSRF security vulnerability in the Grouper UI. 

 

Grouper v2.2 and v2.3 are affected.

 

The patches for this have no dependencies (i.e. you don’t have to install other patches) and are low risk lightweight patches, so you should apply these asap.

 

https://bugs.internet2.edu/jira/browse/GRP-1838

 

2.2: grouper_v2_2_2_ui_patch_6

2.3: grouper_v2_3_0_ui_patch_45

 

There are patches for 2.2.2 and 2.3.0.  Note, if you are using 2.2.0 or 2.2.1, you can still unzip that patch and manually apply it in the classes dir and it should work.  If the java version of the patch does not match what you are running we can recompile the source for your version.

 

Thanks to Jerry Lee, Information Security Analyst, University of Auckland, for finding this and clearly describing it to the team.

 

Reproduce this by appending this to your URL:

 

/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=%3Cscript%3Ealert(1)%3C/script%3E

 

e.g.

 

https://grouperdemo.internet2.edu/grouper_v2_2/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=%3Cscript%3Ealert(1)%3C/script%3E

 

If the vulnerability exists, you will see this:

 

 

If the patch is applied and the vulnerability is fixed, you will see this:

 

 

 

Let me know if you have any questions.

 

Thanks

Chris

 

Ps. Here is what I just did for Penn (in test and prod):

 

1.       Verify exists:

 

https://grouper.apps.upenn.edu/grouper/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=%3Cscript%3Ealert(1)%3C/script%3E

 

2.       Install patch

 

[appadmin@fastprod-mgmt-01 patching]$ more run.sh

#!/bin/bash

 

export JAVA_HOME=/opt/appserv/common/java

export PATH=$JAVA_HOME/bin:$PATH

cd /opt/appserv/tomcat/apps/grouper/patching

java -cp .:grouperInstaller.jar edu.internet2.middleware.grouperInstaller.GrouperInstaller

echo

echo "run this to complete the patching"

echo 'clusterRun grouper "rm -rf /opt/appserv/tomcat/apps/grouper/work/*"'

echo "clusterCopy.sh grouper /opt/appserv/tomcat/apps/grouper/webapps/grouper"

echo "clusterTomcat grouper restart"

[appadmin@fastprod-mgmt-01 patching]$ ./run.sh

Do you want to 'install' a new installation of grouper, 'upgrade' an existing installation,

  'patch' an existing installation, 'admin' utilities, or 'createPatch' for Grouper developers

  (enter: 'install', 'upgrade', 'patch', 'admin', 'createPatch' or blank for the default) [patch]:

Enter in a Grouper temp directory to download tarballs (note: better if no spaces or special chars) [/opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs]:

What do you want to patch?  api, ui, ws, pspng, or psp? [UI]:

Where is the grouper UI installed? [/opt/appserv/tomcat/apps/grouper/webapps/grouper]:

What do you want to do with patches (install, revert, status, fixIndexFile)? [install]:

Do you want to fix the patch index file (download all patches and see if they are installed?) (not recommended) (t|f)? [f]:

 

Would you like to install all patches (t|f)? [t]:

f

Would you like to install patches up to a certain patch level? (t|f)? [f]:

 

Would you like to install certain specified patches? (t|f)? [f]:

t

What patches would you like to install [comma-separated] (e.g. grouper_v2_3_0_api_patch_0, grouper_v2_3_0_api_patch_1, grouper_v2_3_0_ui_patch_0)? :

grouper_v2_3_0_ui_patch_45

 

 

################ Checking patch grouper_v2_3_0_ui_patch_45

Downloading from URL: http://software.internet2.edu/grouper/release/2.3.0/patches/grouper_v2_3_0_ui_patch_45.tar.gz to file: /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar.gz

Unzipping: /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar.gz

Expanding: /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar to /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45

Patch grouper_v2_3_0_ui_patch_45 is low risk, is a security patch

GRP-1838: xsrf problem with /UiV2Public.index

- added to end of property file: grouper_v2_3_0_ui_patch_45.date = 2018/07/20 14:44:49

This patch requires all processes that user Grouper to be stopped.

  Please stop these processes if they are running and press <enter> to continue...

 

Applying file: /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$5.class

Applying file: /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$6.class

Applying file: /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$2.class

Applying file: /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$1.class

Applying file: /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$3.class

Applying file: /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.class

Applying file: /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$4.class

Applying file: /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.java

Patch successfully applied: grouper_v2_3_0_ui_patch_45

- added to end of property file: grouper_v2_3_0_ui_patch_45.state = applied

 

[appadmin@fastprod-mgmt-01 patching]$ clusterCopy.sh grouper /opt/appserv/tomcat/apps/grouper/webapps/grouper

COPY TO SERVER fastprod-medium-a-01: /opt/appserv/local/tomcat/letters/tomcat_2v/webapps/grouper /opt/appserv/local/tomcat/letters/tomcat_2v/webapps

sending incremental file list

grouper/WEB-INF/grouperPatchStatus.properties

grouper/WEB-INF/classes/

grouper/WEB-INF/classes/grouper-loader.properties~

grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/

grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$1.class

grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$2.class

grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$3.class

grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$4.class

grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$5.class

grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$6.class

grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.class

grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.java

 

sent 78534 bytes  received 734 bytes  31707.20 bytes/sec

total size is 120040994  speedup is 1514.37

 

Complete copy.sh on servers: fastprod-medium-a-01 fastprod-medium-a-02 fastprod-medium-a-03 fastprod-medium-a-04 fastprod-medium-a-05: /opt/appserv/local/tomcat/letters/tomcat_2v/webapps/grouper /opt/appserv/local/tomcat/letters/tomcat_2v/webapps

[appadmin@fastprod-mgmt-01 patching]$ clusterTomcat grouper restart

SERVER fastprod-medium-a-01: /sbin/service tomcat_grouper restart

SERVER fastprod-medium-a-02: /sbin/service tomcat_grouper restart

SERVER fastprod-medium-a-03: /sbin/service tomcat_grouper restart

SERVER fastprod-medium-a-04: /sbin/service tomcat_grouper restart

SERVER fastprod-medium-a-05: /sbin/service tomcat_grouper restart

SUCCESS: grouper

[appadmin@fastprod-mgmt-01 patching]$

 

3.       Verify fixed