Grouper Users - Open Discussion List

[Chris Hyzer <>]

Regarding this advisory below for the Grouper Security Vulnerability, no one has said they need more time to remediate before we file a CVE and the details will be universally known.  So the schedule is this week we will let people know who are affected how they can test their remediated envs, and then we can file the CVE.  If you need more time to determine if you are affected or to remediate please send me an email ASAP:  .  Thanks! 

On Wednesday, October 11, 2023 at 10:36:06 AM EDT, Chris Hyzer <> wrote:

 Grouper security advisory

There is a zero-day severe and important security issue with Grouper.  If you are deployed in a certain configuration, then you are affected.  There are configuration changes you can make to protect yourself from the vulnerability.  These changes do not require an upgrade, patch, or downtime.  It is critical that you take these steps now.

 

Since the vulnerability is not documented and there is a mitigation plan, we are giving institutions some time to update their environment.  On or after Wednesday October 18, 2023, updates to the Grouper container releases for recent and current versions will be published, a CVE will be filed, and details of the issue will be provided.  However, if you are affected then you are at serious risk now and should react as if the details are known by addressing this immediately.

 

Might you be affected?

 

You might be affected if you run Grouper with either of these configurations in the grouper.hibernate.properties file:

 

grouper.is.ws.basicAuthn = true

grouper.is.ui.basicAuthn = true

 

Or if you have either of these container environment variables set:

 

GROUPER_WS_GROUPER_AUTH=true

GROUPER_UI_GROUPER_AUTH=true

Contact

If you might be affected, then send a direct slack message to Chris Hyzer, the project lead (request to join InCommon slack).  If you are not in InCommon slack then email .  The next steps will be provided.

 

Thank you.

Chris Hyzer on behalf of the Grouper project