Released: 21 August 2014
uPortal 4.0.15 GA Announcement
Apereo is proud to announce uPortal 4.0.15, continuing in our regular patch releases of uPortal 4.0.
About the vulnerabilities fixed in this release
uPortal 4.0.15 is a patch release of uPortal 4.0 cut to release a couple important security fixes and to ship some minor fixes that had accumulated in the 4.0-patches maintenance branch. Prior to this release, uPortal CAS integration was bugged such that
1) CVE-2014-5059 a user logging in via CAS can log in as any user account in the typical uPortal CAS login configuration, and
2) CVE-2014-4172 the Java CAS client library shipping in uPortal was vulnerable to an illicit proxy attack.
This release addresses these vulnerabilities by
- Shipping a corrected default, example security.properties configuration, and
- Shipping fix CAS-integration uPortal SecurityContext implementations that fail safe even when the incorrect security.properties configuration is applied, and
- Fronting the vulnerable Java CAS Client with a new Filter that blocks CVE-2014-4172.
You can make your implementation secure against these vulnerabilities without otherwise upgrading by
- Fixing your security.properties AND/OR upgrading to the fixed version of the CasAssertionSecurityContext Java class, AND
- Fronting your local usage of the Java CAS Client as desc
You can make your implementation secure against these vulnerabilities by upgrading so long as in the course of that upgrade
- You fix your security.properties OR pick up the new version of the CasAssertionSecurityContext Java class, AND
- You update your web.xml to front your local usage of the Java CAS client as shown in the web.xml provided with the release.
You are not vulnerable to these specific issues if you are not using CAS as the mechanism for authenticating users to your uPortal.
About the other goodness in this release
uPortal 4.0.15 rolls back an introduction of an
acceptAnyProxy configuration that had been introduced in the 4.0 line for 4.0.14.
acceptAnyProxy tells the Java CAS Client to accept proxy tickets regardless of what application is proxying them. While this is convenient for demoing, it would be unfortunate for that configuration to inadvertently slip into production in any uPortal environments, and this change makes the out of the box configuration a little further from that.
The Attachments component of e.g. the SimpleContentPortlet had been inadvertently using a Hibernate-internal not-for-production-use connection pool. This release fixes that configuration.
This release turns on Travis-CI continuous integration testing for the uPortal 4.0-patches branch. This provides an additional safety net and feedback mechanism for uPortal product development on this maintenance branch and also provides you the adopter with a better starting point for using Travis-CI for continuous integration testing of your local uPortal implementation.
This release no longer looks for dependencies in remote Maven snapshot repositories it probably shouldn't have been using.
- Requires Servlet API 2.5 to run. Tomcat 6.0 is the first version of Tomcat to support Servlet 2.5. You probably actually want a recent Tomcat 7.
- Requires JDK 1.6.0_26 or newer. Oracle JDK 6 is ridiculously old, so you probably want JDK 7 instead, which will work. JDK 8 will almost certainly also work, but wasn't the target version for this patch series.
- Data export and import is required when upgrading from a version earlier than 4.0.0. Login event aggregation data migration is required when upgrading from a version 4.0.0 to 4.0.5, see above.
Issues addressed in uPortal 4.0.15
|UP-4205||CVE-2014-4172 uPortal includes Java CAS Client vulnerable to illicit proxy attack||Aug 11, 2014||Dec 30, 2014||Andrew Petro||Andrew Petro||Resolved||Fixed|
|UP-4192||CVE-2014-5059 Security Context chaining allows arbitrary username assertion||Jul 29, 2014||Jan 20, 2015||Andrew Petro||Drew Wills||Resolved||Fixed|
|UP-4164||acceptAnyProxy set to true in ootb CAS overlay||Jul 01, 2014||Aug 11, 2014||James Wennmacher||Andrew Petro||Resolved||Fixed|
|UP-4229||Update wiki documentation to warn of issue and to document creating secure security.properties configurations||Sep 10, 2014||Dec 30, 2014||Drew Wills||Andrew Petro||Resolved||Fixed|
|UP-4032||SimpleContentPortlet (attachments) uses Hibernate test connection pool||Mar 21, 2014||Jun 25, 2014||James Wennmacher||Paul Gazda||Resolved||Fixed|
|UP-4737||CVE-2016-1000257 Open Redirection Security Issue||Oct 04, 2016||Jan 10, 2017||Drew Wills||Aaron Grant||Resolved||Fixed|
|UP-4167||Exclude maven sonatype and apache snapshots from source repos||Jul 08, 2014||Nov 05, 2014||James Wennmacher||James Wennmacher||Resolved||Fixed|
|UP-4144||Travis-CI continuous integration||Jun 16, 2014||Jul 06, 2014||Andrew Petro||Andrew Petro||Resolved||Fixed|
Bugs known to afflict uPortal 4.0.15
(Note that this is only as good as the affects-version metadata on JIRA issues).