grouper-users - RE: [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3
Subject: Grouper Users - Open Discussion List
List archive
RE: [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3
Chronological Thread
- From: "Redman, Chad" <>
- To: "Hyzer, Chris" <>, Andrew Morgan <>, Scott Koranda <>
- Cc: "" <>
- Subject: RE: [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3
- Date: Tue, 24 Jul 2018 16:19:09 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:4nlywhKlAzciJrkTJ9mcpTZWNBhigK39O0sv0rFitYgXKvT6rarrMEGX3/hxlliBBdydt6oazbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZLebxlJiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0vRz+s87lkRwPpiCcfNj427mfXitBrjKlGpB6tvgFzz5LIbI2QMvd1Y6HTcs4ARWdZXshfSTFPAp+yYYUMAeoOP+dYoJXyqVQBtha+GRCsCP/zxjNUmnP6w6s32PkhHwHc2wwgGsoDvHrIotrrKagSVPq6zK/QwT7ecf5W2S3y55XGfhs8pvyDQbJwftDMxkY3DQPKkEifqYn/MDOTzekNrm6b4PZ6We2xlmEnthh8rz6yzckijYnJg5gaylHC9ShhwYY1I8G4R1BhYd6iDpRQqz+WO5FoTcw/XmFkoDs6yqUYtp69eigG0oooyAPCa/GBboOG4QrjWf6PLThimH5pZbeyiwuv/US9z+D8WMa53EpWoidAnNnDqH8A2ADW58WCS/Zx41yu1S6S2w3T9O1IO144mbDGJ5I93LI8jIcfvEvAEyPulkX5kqybelkh9+Wt9evrf6/pppGZOoJ2iwzzMLkhl8mhDegmMQUDXW2W9v+82bL9/ED0RqhBgOcsnanDqp/aINwWpq6nDA9R1YYu8w6xAiuh3tgEknQLNU9Ldgqag4TwPFHBO+73Ae24g1SxjDdk3PfGPqDnAprQNHTDiK3hfbFh60FC1AUz0dFf55VSCr0bJ/LzR1PxtNjfDh8+MAy42froCNJ41o8GWGKPBLGWML/KvFOW/O0jP/SAaYoItDrgNvQo4vDugHAllVMBeKSp04UYZX+kEfljJkiUYGfgjcwZHWcPpAU+TejqiFOYUT5UYna/R74z5jEhB427FYjDXJ6ij6GE3CihGJ1bfX1GClaQHnvyaYqLRuoMZDqIIsB9ijwESaShS4g52BGhrg/6zKdnLvLK9S0CrJ7jycN16PPJlREp7jF0C8Wd03qRT2FvgG8EXT423KZjoUNj0FeD17Z3g+BGGdBJ+fxGTxo6ZtbgyLkwK8HgVxiFNvyJUle9CJ3yBDoxX8A82fcPeE07Bs2viBaF0ia3VftdvrqHHpEruofbxXf4IY4pznHc26Anp148WdcJOGG70Oo3zAPUG5KBsEKDnqCmfOxIxy3K7m6FwWOms0RRUQo2WqLACyMxfEzT+J7D60/HRrnqQZ8nOwcLgZqJKqJGXcfkgVBPQt/+Pt+Ybm6szTTjTS2Uz6+BOdK5M14W2z/QXQ1dy1hJpySPKBQ+CyG9omnXED1pExf1bljx9fVl9inpVVc6mgeNaUApl6G4/BIYn7S9c7sSxfpF3UVpsDBoBBC41tPSBcCHol9qfKxQVskw7FJO00rEsQc7M5C9fOhv
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
The error page doesn't require a session (otherwise nobody would ever see the
anonymous session error), so whether it's protected or not depends on what
the server is set up to protect. The default web.xml doesn't require a login
for /grouperExternal/public/* , so some setups may still have an avenue for
access to this particular page. If using SSO, that generally protects the
whole site, so it should be better protected.
As a reflected XSS vulnerability, the risk is not just Grouper actions but
anything the browser is trusted to do -- expose cookies, rewrite pages, read
personal data, etc.
-Chad
-----Original Message-----
From:
[mailto:]
On Behalf Of Hyzer, Chris
Sent: Monday, July 23, 2018 1:10 PM
To: Andrew Morgan
<>;
Scott Koranda
<>
Cc:
Subject: RE: [grouper-users] Re: [grouper-dev] Important! Grouper Security
Advisory in UI v2.2 and v2.3
If an unauthenticated user goes to Grouper, they cant do much. The XSRF link
must be sent to another user, and generally you would configure your AUTHN to
protect grouper. So that user would need to authenticate in order to try to
steal a session or get the user to perform something (e.g. add a user to a
group). So... when I click on the link for the grouperdemo it prompts me to
login since shib protects that servlet...
Thanks
Chris
-----Original Message-----
From: Andrew Morgan
[mailto:]
Sent: Monday, July 23, 2018 12:37 PM
To: Scott Koranda
<>
Cc: Hyzer, Chris
<>;
Subject: Re: [grouper-users] Re: [grouper-dev] Important! Grouper Security
Advisory in UI v2.2 and v2.3
The alert script displays on my Grouper instance when I'm not logged in.
In the background (under the pop-up), I see the Grouper error page which
says, "Click here to start over." This is the usual error page I see when
my session has expired. In this case, I deleted my Grouper cookies before
attempting this.
Andy
On Mon, 23 Jul 2018, Scott Koranda wrote:
> Hi,
>
> Does exploiting the vulnerability require authenticated access to the
> Grouper UI?
>
> Thanks,
>
> Scott K
>
>> There is an XSRF security vulnerability in the Grouper UI.
>>
>> Grouper v2.2 and v2.3 are affected.
>>
>> The patches for this have no dependencies (i.e. you don't have to install
>> other patches) and are low risk lightweight patches, so you should apply
>> these asap.
>>
>> https://bugs.internet2.edu/jira/browse/GRP-1838
>>
>> 2.2: grouper_v2_2_2_ui_patch_6
>> 2.3: grouper_v2_3_0_ui_patch_45
>>
>> There are patches for 2.2.2 and 2.3.0. Note, if you are using 2.2.0 or
>> 2.2.1, you can still unzip that patch and manually apply it in the classes
>> dir and it should work. If the java version of the patch does not match
>> what you are running we can recompile the source for your version.
>>
>> Thanks to Jerry Lee, Information Security Analyst, University of Auckland,
>> for finding this and clearly describing it to the team.
>>
>> Reproduce this by appending this to your URL:
>>
>> /grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=%3Cscript%3Ealert(1)%3C/script%3E
>>
>> e.g.
>>
>> https://grouperdemo.internet2.edu/grouper_v2_2/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=%3Cscript%3Ealert(1)%3C/script%3E
>>
>> If the vulnerability exists, you will see this:
>>
>> [https://bugs.internet2.edu/jira/secure/attachment/15871/15871_image-2018-07-20-13-14-40-882.png]
>>
>> If the patch is applied and the vulnerability is fixed, you will see this:
>>
>> [https://bugs.internet2.edu/jira/secure/attachment/15872/15872_image-2018-07-20-13-46-52-199.png]
>>
>>
>> Let me know if you have any questions.
>>
>> Thanks
>> Chris
>>
>> Ps. Here is what I just did for Penn (in test and prod):
>>
>>
>> 1. Verify exists:
>>
>> https://grouper.apps.upenn.edu/grouper/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=%3Cscript%3Ealert(1)%3C/script%3E
>>
>>
>> 2. Install patch
>>
>> [appadmin@fastprod-mgmt-01 patching]$ more run.sh
>> #!/bin/bash
>>
>> export JAVA_HOME=/opt/appserv/common/java
>> export PATH=$JAVA_HOME/bin:$PATH
>> cd /opt/appserv/tomcat/apps/grouper/patching
>> java -cp .:grouperInstaller.jar
>> edu.internet2.middleware.grouperInstaller.GrouperInstaller
>> echo
>> echo "run this to complete the patching"
>> echo 'clusterRun grouper "rm -rf /opt/appserv/tomcat/apps/grouper/work/*"'
>> echo "clusterCopy.sh grouper
>> /opt/appserv/tomcat/apps/grouper/webapps/grouper"
>> echo "clusterTomcat grouper restart"
>> [appadmin@fastprod-mgmt-01 patching]$ ./run.sh
>> Do you want to 'install' a new installation of grouper, 'upgrade' an
>> existing installation,
>> 'patch' an existing installation, 'admin' utilities, or 'createPatch'
>> for Grouper developers
>> (enter: 'install', 'upgrade', 'patch', 'admin', 'createPatch' or blank
>> for the default) [patch]:
>> Enter in a Grouper temp directory to download tarballs (note: better if no
>> spaces or special chars)
>> [/opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs]:
>> What do you want to patch? api, ui, ws, pspng, or psp? [UI]:
>> Where is the grouper UI installed?
>> [/opt/appserv/tomcat/apps/grouper/webapps/grouper]:
>> What do you want to do with patches (install, revert, status,
>> fixIndexFile)? [install]:
>> Do you want to fix the patch index file (download all patches and see if
>> they are installed?) (not recommended) (t|f)? [f]:
>>
>> Would you like to install all patches (t|f)? [t]:
>> f
>> Would you like to install patches up to a certain patch level? (t|f)? [f]:
>>
>> Would you like to install certain specified patches? (t|f)? [f]:
>> t
>> What patches would you like to install [comma-separated] (e.g.
>> grouper_v2_3_0_api_patch_0, grouper_v2_3_0_api_patch_1,
>> grouper_v2_3_0_ui_patch_0)? :
>> grouper_v2_3_0_ui_patch_45
>>
>>
>> ################ Checking patch grouper_v2_3_0_ui_patch_45
>> Downloading from URL:
>> http://software.internet2.edu/grouper/release/2.3.0/patches/grouper_v2_3_0_ui_patch_45.tar.gz
>> to file:
>> /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar.gz
>> Unzipping:
>> /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar.gz
>> Expanding:
>> /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar
>> to
>> /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45
>> Patch grouper_v2_3_0_ui_patch_45 is low risk, is a security patch
>> GRP-1838: xsrf problem with /UiV2Public.index
>> - added to end of property file: grouper_v2_3_0_ui_patch_45.date =
>> 2018/07/20 14:44:49
>> This patch requires all processes that user Grouper to be stopped.
>> Please stop these processes if they are running and press <enter> to
>> continue...
>>
>> Applying file:
>> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$5.class
>> Applying file:
>> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$6.class
>> Applying file:
>> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$2.class
>> Applying file:
>> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$1.class
>> Applying file:
>> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$3.class
>> Applying file:
>> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.class
>> Applying file:
>> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$4.class
>> Applying file:
>> /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.java
>> Patch successfully applied: grouper_v2_3_0_ui_patch_45
>> - added to end of property file: grouper_v2_3_0_ui_patch_45.state = applied
>>
>> [appadmin@fastprod-mgmt-01 patching]$ clusterCopy.sh grouper
>> /opt/appserv/tomcat/apps/grouper/webapps/grouper
>> COPY TO SERVER fastprod-medium-a-01:
>> /opt/appserv/local/tomcat/letters/tomcat_2v/webapps/grouper
>> /opt/appserv/local/tomcat/letters/tomcat_2v/webapps
>> sending incremental file list
>> grouper/WEB-INF/grouperPatchStatus.properties
>> grouper/WEB-INF/classes/
>> grouper/WEB-INF/classes/grouper-loader.properties~
>> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/
>> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$1.class
>> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$2.class
>> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$3.class
>> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$4.class
>> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$5.class
>> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$6.class
>> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.class
>> grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.java
>>
>> sent 78534 bytes received 734 bytes 31707.20 bytes/sec
>> total size is 120040994 speedup is 1514.37
>>
>> Complete copy.sh on servers: fastprod-medium-a-01 fastprod-medium-a-02
>> fastprod-medium-a-03 fastprod-medium-a-04 fastprod-medium-a-05:
>> /opt/appserv/local/tomcat/letters/tomcat_2v/webapps/grouper
>> /opt/appserv/local/tomcat/letters/tomcat_2v/webapps
>> [appadmin@fastprod-mgmt-01 patching]$ clusterTomcat grouper restart
>> SERVER fastprod-medium-a-01: /sbin/service tomcat_grouper restart
>> SERVER fastprod-medium-a-02: /sbin/service tomcat_grouper restart
>> SERVER fastprod-medium-a-03: /sbin/service tomcat_grouper restart
>> SERVER fastprod-medium-a-04: /sbin/service tomcat_grouper restart
>> SERVER fastprod-medium-a-05: /sbin/service tomcat_grouper restart
>> SUCCESS: grouper
>> [appadmin@fastprod-mgmt-01 patching]$
>>
>>
>> 3. Verify fixed
>
>
>
>
- [grouper-users] Important! Grouper Security Advisory in UI v2.2 and v2.3, Hyzer, Chris, 07/20/2018
- [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3, Scott Koranda, 07/23/2018
- [grouper-users] RE: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3, Hyzer, Chris, 07/23/2018
- Re: [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3, Andrew Morgan, 07/23/2018
- RE: [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3, Hyzer, Chris, 07/23/2018
- RE: [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3, Redman, Chad, 07/24/2018
- RE: [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3, Hyzer, Chris, 07/23/2018
- [grouper-users] Re: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3, Scott Koranda, 07/23/2018
Archive powered by MHonArc 2.6.19.