Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3


Chronological Thread 
  • From: Andrew Morgan <>
  • To: Scott Koranda <>
  • Cc: "Hyzer, Chris" <>,
  • Subject: Re: [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3
  • Date: Mon, 23 Jul 2018 09:37:24 -0700 (PDT)
  • Ironport-phdr: 9a23:douiJR3yQmnbMaXrsmDT+DRfVm0co7zxezQtwd8ZseITLfad9pjvdHbS+e9qxAeQG9mDtbQc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPYghEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7Vq4/Vyi84Kh3SR/okCYHOCA/8GHLkcx7kaZXrAu8qxBj34LYZYeYP+d8cKzAZ9MXXWRPUMZPWSJcAIyybIUPAOQOMulEtIT9u0cCoQeiCQWwHu7j1DlFjWL2060g1OQhFBnL0RAmH90TqnTbstv0P7oVX+Cy1qnIwi/Mb/VL0jr67YjIdQohof6WUrJ2asfRzlMvFxjZjlmKt4PqIi6V2/0LvmOG4eRgUuevhHQmqwF3ujWvx8EsipXXiYIPzFDL6zl5zJgvKdKmVUF7fMaoEIZIty6EMYt2RNkuTH91tyYnzLANpJ21fDASxZg62RLSaOaLf5WM7x/tTuqcIS10iGx7dL+7nxq+7Fasx+7mWsWp1FtHoDBJn9bWunwQ1RHf9s6KQeZn8Ei7wzaAzQXT5/lEIU8qkarbLIYswqU1lpoPqUTPBzH2mF3qgKKYbEkk4emo6+v9brXhvJ+TKYB0igb4MqQ1hsywG/g4PRYUU2eF5Ou8yaXv/Uz/QLpUkv07irTVvI7ZKMgBu6K0BwFY3pwj5hqlETuqztAVkWECLF1feRKHi4bpO0vJIPD9Ffq/hlOskC1kx//cOL3sGZLNLmLYkLf9Z7py9VNTyBcrwdBF+51UEq0BIO70WkLpu9zYFBg5MxGsw+n5EtVxz54eWXmRDa+DK6PfqluI5uM0I+mQf48ZpizxK/kj5/7yk3A5g1kdcre13ZcJcny3AOlpI1jKKUbr1+wKFnsW9ik5VuXshFTKBSVQYGy7Wa41zj4+AYOiS4zEQ9b+rqaG2XKSGJFMa38OL1eWHn7uP9GBXO0DYSS6JdV6jnoJWaX3GNxp7g2nqAKvk+kvFeHT4CBN8Mu7jNU=

The alert script displays on my Grouper instance when I'm not logged in. In the background (under the pop-up), I see the Grouper error page which says, "Click here to start over." This is the usual error page I see when my session has expired. In this case, I deleted my Grouper cookies before attempting this.

Andy




On Mon, 23 Jul 2018, Scott Koranda wrote:

Hi,

Does exploiting the vulnerability require authenticated access to the
Grouper UI?

Thanks,

Scott K

There is an XSRF security vulnerability in the Grouper UI.

Grouper v2.2 and v2.3 are affected.

The patches for this have no dependencies (i.e. you don't have to install
other patches) and are low risk lightweight patches, so you should apply
these asap.

https://bugs.internet2.edu/jira/browse/GRP-1838

2.2: grouper_v2_2_2_ui_patch_6
2.3: grouper_v2_3_0_ui_patch_45

There are patches for 2.2.2 and 2.3.0. Note, if you are using 2.2.0 or
2.2.1, you can still unzip that patch and manually apply it in the classes
dir and it should work. If the java version of the patch does not match what
you are running we can recompile the source for your version.

Thanks to Jerry Lee, Information Security Analyst, University of Auckland,
for finding this and clearly describing it to the team.

Reproduce this by appending this to your URL:

/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=%3Cscript%3Ealert(1)%3C/script%3E

e.g.

https://grouperdemo.internet2.edu/grouper_v2_2/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=%3Cscript%3Ealert(1)%3C/script%3E

If the vulnerability exists, you will see this:

[https://bugs.internet2.edu/jira/secure/attachment/15871/15871_image-2018-07-20-13-14-40-882.png]

If the patch is applied and the vulnerability is fixed, you will see this:

[https://bugs.internet2.edu/jira/secure/attachment/15872/15872_image-2018-07-20-13-46-52-199.png]


Let me know if you have any questions.

Thanks
Chris

Ps. Here is what I just did for Penn (in test and prod):


1. Verify exists:

https://grouper.apps.upenn.edu/grouper/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=%3Cscript%3Ealert(1)%3C/script%3E


2. Install patch

[appadmin@fastprod-mgmt-01 patching]$ more run.sh
#!/bin/bash

export JAVA_HOME=/opt/appserv/common/java
export PATH=$JAVA_HOME/bin:$PATH
cd /opt/appserv/tomcat/apps/grouper/patching
java -cp .:grouperInstaller.jar
edu.internet2.middleware.grouperInstaller.GrouperInstaller
echo
echo "run this to complete the patching"
echo 'clusterRun grouper "rm -rf /opt/appserv/tomcat/apps/grouper/work/*"'
echo "clusterCopy.sh grouper /opt/appserv/tomcat/apps/grouper/webapps/grouper"
echo "clusterTomcat grouper restart"
[appadmin@fastprod-mgmt-01 patching]$ ./run.sh
Do you want to 'install' a new installation of grouper, 'upgrade' an existing
installation,
'patch' an existing installation, 'admin' utilities, or 'createPatch' for
Grouper developers
(enter: 'install', 'upgrade', 'patch', 'admin', 'createPatch' or blank for
the default) [patch]:
Enter in a Grouper temp directory to download tarballs (note: better if no
spaces or special chars)
[/opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs]:
What do you want to patch? api, ui, ws, pspng, or psp? [UI]:
Where is the grouper UI installed?
[/opt/appserv/tomcat/apps/grouper/webapps/grouper]:
What do you want to do with patches (install, revert, status, fixIndexFile)?
[install]:
Do you want to fix the patch index file (download all patches and see if they
are installed?) (not recommended) (t|f)? [f]:

Would you like to install all patches (t|f)? [t]:
f
Would you like to install patches up to a certain patch level? (t|f)? [f]:

Would you like to install certain specified patches? (t|f)? [f]:
t
What patches would you like to install [comma-separated] (e.g.
grouper_v2_3_0_api_patch_0, grouper_v2_3_0_api_patch_1,
grouper_v2_3_0_ui_patch_0)? :
grouper_v2_3_0_ui_patch_45


################ Checking patch grouper_v2_3_0_ui_patch_45
Downloading from URL:
http://software.internet2.edu/grouper/release/2.3.0/patches/grouper_v2_3_0_ui_patch_45.tar.gz
to file:
/opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar.gz
Unzipping:
/opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar.gz
Expanding:
/opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar
to
/opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45
Patch grouper_v2_3_0_ui_patch_45 is low risk, is a security patch
GRP-1838: xsrf problem with /UiV2Public.index
- added to end of property file: grouper_v2_3_0_ui_patch_45.date = 2018/07/20
14:44:49
This patch requires all processes that user Grouper to be stopped.
Please stop these processes if they are running and press <enter> to
continue...

Applying file:
/opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$5.class
Applying file:
/opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$6.class
Applying file:
/opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$2.class
Applying file:
/opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$1.class
Applying file:
/opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$3.class
Applying file:
/opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.class
Applying file:
/opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$4.class
Applying file:
/opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.java
Patch successfully applied: grouper_v2_3_0_ui_patch_45
- added to end of property file: grouper_v2_3_0_ui_patch_45.state = applied

[appadmin@fastprod-mgmt-01 patching]$ clusterCopy.sh grouper
/opt/appserv/tomcat/apps/grouper/webapps/grouper
COPY TO SERVER fastprod-medium-a-01:
/opt/appserv/local/tomcat/letters/tomcat_2v/webapps/grouper
/opt/appserv/local/tomcat/letters/tomcat_2v/webapps
sending incremental file list
grouper/WEB-INF/grouperPatchStatus.properties
grouper/WEB-INF/classes/
grouper/WEB-INF/classes/grouper-loader.properties~
grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/
grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$1.class
grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$2.class
grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$3.class
grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$4.class
grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$5.class
grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$6.class
grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.class
grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.java

sent 78534 bytes received 734 bytes 31707.20 bytes/sec
total size is 120040994 speedup is 1514.37

Complete copy.sh on servers: fastprod-medium-a-01 fastprod-medium-a-02
fastprod-medium-a-03 fastprod-medium-a-04 fastprod-medium-a-05:
/opt/appserv/local/tomcat/letters/tomcat_2v/webapps/grouper
/opt/appserv/local/tomcat/letters/tomcat_2v/webapps
[appadmin@fastprod-mgmt-01 patching]$ clusterTomcat grouper restart
SERVER fastprod-medium-a-01: /sbin/service tomcat_grouper restart
SERVER fastprod-medium-a-02: /sbin/service tomcat_grouper restart
SERVER fastprod-medium-a-03: /sbin/service tomcat_grouper restart
SERVER fastprod-medium-a-04: /sbin/service tomcat_grouper restart
SERVER fastprod-medium-a-05: /sbin/service tomcat_grouper restart
SUCCESS: grouper
[appadmin@fastprod-mgmt-01 patching]$


3. Verify fixed







Archive powered by MHonArc 2.6.19.

Top of Page