Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Security advisory GRP-3015 for Grouper

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Security advisory GRP-3015 for Grouper


Chronological Thread 
    < Chronological >      < Thread >
  • From: "Hyzer, Chris" <>
  • To: " Mailing List" <>, "" <>
  • Subject: [grouper-users] Security advisory GRP-3015 for Grouper
  • Date: Mon, 9 Nov 2020 21:43:35 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=isc.upenn.edu; dmarc=pass action=none header.from=isc.upenn.edu; dkim=pass header.d=isc.upenn.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YkDqBJhltU4YOtaNXn7JofYhp+ODLJdb3WN92qSnwig=; b=WwbaTlri4pVYofD1QrEuMOGaoaLC7U1pHRaO2nIL1UC4jlatWC20G7iXWKLn4o96o/NXeve4n3sZBaXRJkIMjzu4Inxj1Nz8wLZI1xGFdepilYVxM0eEnOkPbMUkcDoAp/gEipvD26MYAGPixE4NrrzNCRRyG38d29R8AJHluOaVClQG3ayP/Dd0BOjXk29CrysaD2ybJNLmBAzDmUvem43r4OY7WdB46l9FqnoEQ/DKqJaO+yxcl1BvDhB8mflaiRDvEwernlXCUz2YXWPMH8fDKAM27JYup9LHAhgVItgtpt5AhRTMByKQqPzHs8lNTOQeAteY/3BSw6s9Q6KKTw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QVi45peGh+JgYsZdKf+8ev4v6f8Yvvh/T4sO2lsIvjdLAK0aJx28+FnEp3B49Qs1i4f7i3NaTpuJNeHA2fMbUpDPl/L1WOgfyJ6z3HXTS4s10zkIY6G1M2h7iBGBmYy/3sIcC5nVA5daxMKVSD7MbFyYqfFRjmqyhudegl0VikUjzQYx8aqiX727gPaTUP3Pb1/Vs+nhRc2+/QDIgDgrBmMvMKt2OuR9NzECMqGjiubaGImVQY8q1OcbLJklilTyDT9+k887xzGv4EkkvM6bMRJUyEd+LxNI+qpOiTOb2I/eQoAoWvoC/sAXaWUHCSxdPk5ZZKPp5TzFFsff8jdr9A==

Hello,

 

Grouper has a security vulnerability, affecting the following versions of Grouper:

 

- 2.5.36

- 2.5.37

 

You are affected if you using one of these versions and have secrets in plain text in environment variables in the Grouper container.  On startup the container prints out all env vars to the container logs.

 

This could lead to those at your institution who can view container logs to be able to view passwords that were in plain text in env vars.  For full details, please see the advisory linked below.

 


Thanks to JJ at Unicon for identifying this problem.


These two containers (2.5.36.1 and 2.5.37.1) are identical to the previous version but have only this issue fixed (and OS updates).  When 2.5.38+ is out, this is fixed there too.


Thanks

Chris Hyzer

Internet2 Grouper Lead


  • [grouper-users] Security advisory GRP-3015 for Grouper, Hyzer, Chris, 11/09/2020

Archive powered by MHonArc 2.6.19.

Top of Page