Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3


Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: Scott Koranda <>
  • Cc: "" <>
  • Subject: [grouper-users] RE: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3
  • Date: Mon, 23 Jul 2018 15:19:58 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:1NcwtRPd91PSq6PWBEwl6mtUPXoX/o7sNwtQ0KIMzox0K/z/p8bcNUDSrc9gkEXOFd2Cra4c1ayO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUhTexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iScHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzdb7fc9wHX2pMRsZfWTJcDIOgYYUBDOQBMuRZr4bhqFUBogCzBRW1BO/z1jNEmmP60bM83u88EQ/GxgsgH9cWvXjartv0NKYTXv6vzKXQ0D7OcfNW2S386IjTfBwqvPaBXbdsfsrRyUguFh3Kjk+LpIzkJDOayv4Bs3WD7+V+U+KvjXQrpB9srTiy38ohjJTCiIwSylDB7yp5wYA1KMW5SE59fd6rDoFQtyeEOItqXM8uWX9ntzsnyrEevp66cjIFyI8/xxLFbPyHaYeI7gr+VOaJPzh4gnRldKihiBmv7EitzPD3WMqs0FtSsCZKiMXAum0I2hDO98SLV/5w/kmu1DqTywze7+NJLl47mKXBLpMsx6A8moYQvEjbAyP7lln6gLWSe0k54OSk9fnrb7H8qpOBNYJ5ixnyMqowlcG8Heg1Nw0DUmuG9uSy27Du+E70TbtXgfIsl6TZvo7WKMsUq6O8HwBY0Zws5wi5Ajy7ytoXh2MHI0hAeB+fj4jmJVXOIPfgAPmnn1milytnyv7fMrD8AJrBMGHPkLD6crlj8UJczxczzcxE6JJTF7EBJu/8VlXptNzCCR85LxK7zPr7CNV80YMeX3iDAqiEMKPOtV+I4eUvI+qWaIAJvzb9LuAp5//ojXAnhV8QZbel0oELZHylG/lqPliVbWfpj9cPHmoGohYyQenohVKcXjNcfXO/Uqci6j0nC4+qFYLDSZqsgLyF0ie7BJpWZmVeB1CJDXjod4WFWvYSZyKIOcJhkycEWqS7R488zRGhqgn6y7x9IuXK5yIYqIrv1MJp6O3LiREy6Tt0AtyS02GXSGF0g3sISCEs3KxmvEx90UmM0bJjg/FDEdxT5uhJUhshNZLC1eB6CtbyWh7fcdeTTlapXMmmDS8rQt0v3tAOfhU1J9L3tRvEwzbiILgPnrqHDdRg6aHbxXH3K89VxHPP1a1nhF4jFJhhL2qj0+Rf5hreHcqBuEWDlr3gPfAZ1y7c5mqZ5WuVtwdFSAN2V+PIUW1JNRielsjw+k6XF+zmMr8gKAYUjJfacvEQONT0kVVLQuviM93CYmW33n29HguM2qjSMNjxY2tI2iLbBQBEiA0V8XucfSkGTia66yO7bnR1EE73JUbl8O1wsnS+G0o/zxCYYldJ1qG+vAMNiPqaDf4fw+FMtQ==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

There might be other ways, but I believe you need to trick a user to click on
a malicious link...

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)



-----Original Message-----
From: Scott Koranda
[mailto:]

Sent: Monday, July 23, 2018 11:17 AM
To: Hyzer, Chris
<>
Cc:

Subject: Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2
and v2.3

Hi,

Does exploiting the vulnerability require authenticated access to the
Grouper UI?

Thanks,

Scott K

> There is an XSRF security vulnerability in the Grouper UI.
>
> Grouper v2.2 and v2.3 are affected.
>
> The patches for this have no dependencies (i.e. you don't have to install
> other patches) and are low risk lightweight patches, so you should apply
> these asap.
>
> https://bugs.internet2.edu/jira/browse/GRP-1838
>
> 2.2: grouper_v2_2_2_ui_patch_6
> 2.3: grouper_v2_3_0_ui_patch_45
>
> There are patches for 2.2.2 and 2.3.0. Note, if you are using 2.2.0 or
> 2.2.1, you can still unzip that patch and manually apply it in the classes
> dir and it should work. If the java version of the patch does not match
> what you are running we can recompile the source for your version.
>
> Thanks to Jerry Lee, Information Security Analyst, University of Auckland,
> for finding this and clearly describing it to the team.
>
> Reproduce this by appending this to your URL:
>
> /grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=%3Cscript%3Ealert(1)%3C/script%3E
>
> e.g.
>
> https://grouperdemo.internet2.edu/grouper_v2_2/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=%3Cscript%3Ealert(1)%3C/script%3E
>
> If the vulnerability exists, you will see this:
>
> [https://bugs.internet2.edu/jira/secure/attachment/15871/15871_image-2018-07-20-13-14-40-882.png]
>
> If the patch is applied and the vulnerability is fixed, you will see this:
>
> [https://bugs.internet2.edu/jira/secure/attachment/15872/15872_image-2018-07-20-13-46-52-199.png]
>
>
> Let me know if you have any questions.
>
> Thanks
> Chris
>
> Ps. Here is what I just did for Penn (in test and prod):
>
>
> 1. Verify exists:
>
> https://grouper.apps.upenn.edu/grouper/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=%3Cscript%3Ealert(1)%3C/script%3E
>
>
> 2. Install patch
>
> [appadmin@fastprod-mgmt-01 patching]$ more run.sh
> #!/bin/bash
>
> export JAVA_HOME=/opt/appserv/common/java
> export PATH=$JAVA_HOME/bin:$PATH
> cd /opt/appserv/tomcat/apps/grouper/patching
> java -cp .:grouperInstaller.jar
> edu.internet2.middleware.grouperInstaller.GrouperInstaller
> echo
> echo "run this to complete the patching"
> echo 'clusterRun grouper "rm -rf /opt/appserv/tomcat/apps/grouper/work/*"'
> echo "clusterCopy.sh grouper
> /opt/appserv/tomcat/apps/grouper/webapps/grouper"
> echo "clusterTomcat grouper restart"
> [appadmin@fastprod-mgmt-01 patching]$ ./run.sh
> Do you want to 'install' a new installation of grouper, 'upgrade' an
> existing installation,
> 'patch' an existing installation, 'admin' utilities, or 'createPatch' for
> Grouper developers
> (enter: 'install', 'upgrade', 'patch', 'admin', 'createPatch' or blank
> for the default) [patch]:
> Enter in a Grouper temp directory to download tarballs (note: better if no
> spaces or special chars)
> [/opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs]:
> What do you want to patch? api, ui, ws, pspng, or psp? [UI]:
> Where is the grouper UI installed?
> [/opt/appserv/tomcat/apps/grouper/webapps/grouper]:
> What do you want to do with patches (install, revert, status,
> fixIndexFile)? [install]:
> Do you want to fix the patch index file (download all patches and see if
> they are installed?) (not recommended) (t|f)? [f]:
>
> Would you like to install all patches (t|f)? [t]:
> f
> Would you like to install patches up to a certain patch level? (t|f)? [f]:
>
> Would you like to install certain specified patches? (t|f)? [f]:
> t
> What patches would you like to install [comma-separated] (e.g.
> grouper_v2_3_0_api_patch_0, grouper_v2_3_0_api_patch_1,
> grouper_v2_3_0_ui_patch_0)? :
> grouper_v2_3_0_ui_patch_45
>
>
> ################ Checking patch grouper_v2_3_0_ui_patch_45
> Downloading from URL:
> http://software.internet2.edu/grouper/release/2.3.0/patches/grouper_v2_3_0_ui_patch_45.tar.gz
> to file:
> /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar.gz
> Unzipping:
> /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar.gz
> Expanding:
> /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar
> to
> /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45
> Patch grouper_v2_3_0_ui_patch_45 is low risk, is a security patch
> GRP-1838: xsrf problem with /UiV2Public.index
> - added to end of property file: grouper_v2_3_0_ui_patch_45.date =
> 2018/07/20 14:44:49
> This patch requires all processes that user Grouper to be stopped.
> Please stop these processes if they are running and press <enter> to
> continue...
>
> Applying file:
> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$5.class
> Applying file:
> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$6.class
> Applying file:
> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$2.class
> Applying file:
> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$1.class
> Applying file:
> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$3.class
> Applying file:
> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.class
> Applying file:
> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$4.class
> Applying file:
> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.java
> Patch successfully applied: grouper_v2_3_0_ui_patch_45
> - added to end of property file: grouper_v2_3_0_ui_patch_45.state = applied
>
> [appadmin@fastprod-mgmt-01 patching]$ clusterCopy.sh grouper
> /opt/appserv/tomcat/apps/grouper/webapps/grouper
> COPY TO SERVER fastprod-medium-a-01:
> /opt/appserv/local/tomcat/letters/tomcat_2v/webapps/grouper
> /opt/appserv/local/tomcat/letters/tomcat_2v/webapps
> sending incremental file list
> grouper/WEB-INF/grouperPatchStatus.properties
> grouper/WEB-INF/classes/
> grouper/WEB-INF/classes/grouper-loader.properties~
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$1.class
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$2.class
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$3.class
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$4.class
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$5.class
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$6.class
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.class
> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.java
>
> sent 78534 bytes received 734 bytes 31707.20 bytes/sec
> total size is 120040994 speedup is 1514.37
>
> Complete copy.sh on servers: fastprod-medium-a-01 fastprod-medium-a-02
> fastprod-medium-a-03 fastprod-medium-a-04 fastprod-medium-a-05:
> /opt/appserv/local/tomcat/letters/tomcat_2v/webapps/grouper
> /opt/appserv/local/tomcat/letters/tomcat_2v/webapps
> [appadmin@fastprod-mgmt-01 patching]$ clusterTomcat grouper restart
> SERVER fastprod-medium-a-01: /sbin/service tomcat_grouper restart
> SERVER fastprod-medium-a-02: /sbin/service tomcat_grouper restart
> SERVER fastprod-medium-a-03: /sbin/service tomcat_grouper restart
> SERVER fastprod-medium-a-04: /sbin/service tomcat_grouper restart
> SERVER fastprod-medium-a-05: /sbin/service tomcat_grouper restart
> SUCCESS: grouper
> [appadmin@fastprod-mgmt-01 patching]$
>
>
> 3. Verify fixed






Archive powered by MHonArc 2.6.19.

Top of Page