grouper-users - [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3
Subject: Grouper Users - Open Discussion List
List archive
[grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3
Chronological Thread
- From: Scott Koranda <>
- To: "Hyzer, Chris" <>
- Cc:
- Subject: [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3
- Date: Mon, 23 Jul 2018 10:16:37 -0500
- Ironport-phdr: 9a23:/EtD5x3njZFVXPXJsmDT+DRfVm0co7zxezQtwd8ZseIRK/ad9pjvdHbS+e9qxAeQG9mDtbQc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPYghEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7S60/Vza/4KdxUBLmhicJOSAk/m/UhMx/g75Urw+jqBNx2IPUfJ2ZOeBicq/BZ94WW2xMVdtRWSxbBYO8apMCAfcdMuZfs4n9u0YFox65BQm2HuzvzCJHiWXr1qA9yOQhEgbG3BY6ENIIrXvbts74NKgXUe+vzanIyS/PYO9R2Tf48YXFdA0qr/+LXbJ1a8XRyE8vGhvEjlWWtYzqISmV1uITvGiH8eZsT/yghHM6qw1pvziv3tkjio/Pho4P1F/L6Dh5zYAoLtO7UE52ecCoHZpMuyyYMoZ2TMAvTHp0tCs/xbAKpYK3cDUPxZs72xLSavmKfo2W7h79T+mdOSp0iG5qdb6lmRq//1WsxvfiWsS00FtGtDdJn9bQun0Lyhfd8NKISuFn8UekwTuP1x7c6uVDIU0skKrUMZ8hwropmpoStkTPAjb6mUrogKOIbUoo4Oeo6+PgYrXpop+TKZV4hR35MqQrgsC/AOI4PRYSX2WD5+ix1aHv8E/8TbVEjfA5ibXVvZXVKMgHuqK1HgpY3Zo/5xu+Cjqr1coUkWccI15dfRKIlYnpO1XAIPDiCve/hkyhkCxox/DBJL3uGJPNIWXZn7r6crZ97lRTyAs3zdxF+51UDbQBLOrpWkDtrNzYEgM5MwuszuboEtV90Z4eWXqRDa+DKa/SrESI6fw1I+mXf4IVvDf9K+M55/71k3M1g14dfa+13ZQJcnC4GOppI1mHbXb2nNgODHoK7UICS7mgqEyQXCQXL12yRaMnrHlvDYmmHJXOXKism7fHwT+2GJsQa2xbXAOiC3DtIr6PXOsQIAGVOMZnnjVMAaOiTJUo0x2nnAD/wrtjaOHT/3tL5trYyNFp6riLxlkJ/jtuApHF3g==
Hi,
Does exploiting the vulnerability require authenticated access to the
Grouper UI?
Thanks,
Scott K
> There is an XSRF security vulnerability in the Grouper UI.
>
> Grouper v2.2 and v2.3 are affected.
>
> The patches for this have no dependencies (i.e. you don't have to install
> other patches) and are low risk lightweight patches, so you should apply
> these asap.
>
> https://bugs.internet2.edu/jira/browse/GRP-1838
>
> 2.2: grouper_v2_2_2_ui_patch_6
> 2.3: grouper_v2_3_0_ui_patch_45
>
> There are patches for 2.2.2 and 2.3.0. Note, if you are using 2.2.0 or
> 2.2.1, you can still unzip that patch and manually apply it in the classes
> dir and it should work. If the java version of the patch does not match
> what you are running we can recompile the source for your version.
>
> Thanks to Jerry Lee, Information Security Analyst, University of Auckland,
> for finding this and clearly describing it to the team.
>
> Reproduce this by appending this to your URL:
>
> /grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=%3Cscript%3Ealert(1)%3C/script%3E
>
> e.g.
>
> https://grouperdemo.internet2.edu/grouper_v2_2/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=%3Cscript%3Ealert(1)%3C/script%3E
>
> If the vulnerability exists, you will see this:
>
> [https://bugs.internet2.edu/jira/secure/attachment/15871/15871_image-2018-07-20-13-14-40-882.png]
>
> If the patch is applied and the vulnerability is fixed, you will see this:
>
> [https://bugs.internet2.edu/jira/secure/attachment/15872/15872_image-2018-07-20-13-46-52-199.png]
>
>
> Let me know if you have any questions.
>
> Thanks
> Chris
>
> Ps. Here is what I just did for Penn (in test and prod):
>
>
> 1. Verify exists:
>
> https://grouper.apps.upenn.edu/grouper/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=%3Cscript%3Ealert(1)%3C/script%3E
>
>
> 2. Install patch
>
> [appadmin@fastprod-mgmt-01 patching]$ more run.sh
> #!/bin/bash
>
> export JAVA_HOME=/opt/appserv/common/java
> export PATH=$JAVA_HOME/bin:$PATH
> cd /opt/appserv/tomcat/apps/grouper/patching
> java -cp .:grouperInstaller.jar
> edu.internet2.middleware.grouperInstaller.GrouperInstaller
> echo
> echo "run this to complete the patching"
> echo 'clusterRun grouper "rm -rf /opt/appserv/tomcat/apps/grouper/work/*"'
> echo "clusterCopy.sh grouper
> /opt/appserv/tomcat/apps/grouper/webapps/grouper"
> echo "clusterTomcat grouper restart"
> [appadmin@fastprod-mgmt-01 patching]$ ./run.sh
> Do you want to 'install' a new installation of grouper, 'upgrade' an
> existing installation,
> 'patch' an existing installation, 'admin' utilities, or 'createPatch' for
> Grouper developers
> (enter: 'install', 'upgrade', 'patch', 'admin', 'createPatch' or blank
> for the default) [patch]:
> Enter in a Grouper temp directory to download tarballs (note: better if no
> spaces or special chars)
> [/opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs]:
> What do you want to patch? api, ui, ws, pspng, or psp? [UI]:
> Where is the grouper UI installed?
> [/opt/appserv/tomcat/apps/grouper/webapps/grouper]:
> What do you want to do with patches (install, revert, status,
> fixIndexFile)? [install]:
> Do you want to fix the patch index file (download all patches and see if
> they are installed?) (not recommended) (t|f)? [f]:
>
> Would you like to install all patches (t|f)? [t]:
> f
> Would you like to install patches up to a certain patch level? (t|f)? [f]:
>
> Would you like to install certain specified patches? (t|f)? [f]:
> t
> What patches would you like to install [comma-separated] (e.g.
> grouper_v2_3_0_api_patch_0, grouper_v2_3_0_api_patch_1,
> grouper_v2_3_0_ui_patch_0)? :
> grouper_v2_3_0_ui_patch_45
>
>
> ################ Checking patch grouper_v2_3_0_ui_patch_45
> Downloading from URL:
> http://software.internet2.edu/grouper/release/2.3.0/patches/grouper_v2_3_0_ui_patch_45.tar.gz
> to file:
> /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar.gz
> Unzipping:
> /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar.gz
> Expanding:
> /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar
> to
> /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45
> Patch grouper_v2_3_0_ui_patch_45 is low risk, is a security patch
> GRP-1838: xsrf problem with /UiV2Public.index
> - added to end of property file: grouper_v2_3_0_ui_patch_45.date =
> 2018/07/20 14:44:49
> This patch requires all processes that user Grouper to be stopped.
> Please stop these processes if they are running and press <enter> to
> continue...
>
> Applying file:
> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$5.class
> Applying file:
> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$6.class
> Applying file:
> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$2.class
> Applying file:
> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$1.class
> Applying file:
> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$3.class
> Applying file:
> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.class
> Applying file:
> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$4.class
> Applying file:
> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.java
> Patch successfully applied: grouper_v2_3_0_ui_patch_45
> - added to end of property file: grouper_v2_3_0_ui_patch_45.state = applied
>
> [appadmin@fastprod-mgmt-01 patching]$ clusterCopy.sh grouper
> /opt/appserv/tomcat/apps/grouper/webapps/grouper
> COPY TO SERVER fastprod-medium-a-01:
> /opt/appserv/local/tomcat/letters/tomcat_2v/webapps/grouper
> /opt/appserv/local/tomcat/letters/tomcat_2v/webapps
> sending incremental file list
> grouper/WEB-INF/grouperPatchStatus.properties
> grouper/WEB-INF/classes/
> grouper/WEB-INF/classes/grouper-loader.properties~
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$1.class
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$2.class
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$3.class
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$4.class
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$5.class
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$6.class
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.class
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.java
>
> sent 78534 bytes received 734 bytes 31707.20 bytes/sec
> total size is 120040994 speedup is 1514.37
>
> Complete copy.sh on servers: fastprod-medium-a-01 fastprod-medium-a-02
> fastprod-medium-a-03 fastprod-medium-a-04 fastprod-medium-a-05:
> /opt/appserv/local/tomcat/letters/tomcat_2v/webapps/grouper
> /opt/appserv/local/tomcat/letters/tomcat_2v/webapps
> [appadmin@fastprod-mgmt-01 patching]$ clusterTomcat grouper restart
> SERVER fastprod-medium-a-01: /sbin/service tomcat_grouper restart
> SERVER fastprod-medium-a-02: /sbin/service tomcat_grouper restart
> SERVER fastprod-medium-a-03: /sbin/service tomcat_grouper restart
> SERVER fastprod-medium-a-04: /sbin/service tomcat_grouper restart
> SERVER fastprod-medium-a-05: /sbin/service tomcat_grouper restart
> SUCCESS: grouper
> [appadmin@fastprod-mgmt-01 patching]$
>
>
> 3. Verify fixed
- [grouper-users] Important! Grouper Security Advisory in UI v2.2 and v2.3, Hyzer, Chris, 07/20/2018
- [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3, Scott Koranda, 07/23/2018
- [grouper-users] RE: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3, Hyzer, Chris, 07/23/2018
- Re: [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3, Andrew Morgan, 07/23/2018
- RE: [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3, Hyzer, Chris, 07/23/2018
- RE: [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3, Redman, Chad, 07/24/2018
- RE: [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3, Hyzer, Chris, 07/23/2018
- [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3, Scott Koranda, 07/23/2018
Archive powered by MHonArc 2.6.19.