CAS Vulnerability Disclosure


This is the public version of an Apereo CAS project vulnerability disclosure, describing an issue in CAS where an adversary may be able to bypass certain administrative endpoints, in spite of CAS access rule in place. The following administrative endpoints are exposed and vulnerable to this attack:

  • /statistics/ping
  • /statistics/threads
  • /statistics/metrics
  • /statistics/healthcheck
  • /statistics/ssosessions and all sub endpoints

Affected Deployments

The attack vector specifically applies to all deployments of CAS v4.2.x deployments. If you have deployed any version of CAS 4.2.x, you MUST take action to upgrade. If you have deployed any other versions of CAS, disregard this announcement.


This is a serious issue where successfully exercising this vulnerability allows the adversary gain insight into the running CAS software, collect running threads, DOS the server repeatedly via pings and potentially observe the collection of active SSO sessions and meddle with user single sign-on activity.


Patch releases are available to address CAS v4.2.x deployments. Upgrades to the next patch version for each release should be a drop-in replacement. The patch simply ensures that the exposed endpoints honor the CAS access rules, and otherwise block attempts. When you have applied the patch, please double check all endpoints and ensure access is appropriately controlled.


The issue was originally reported to the CAS application security team on September 27, 2016. Upon confirmation, CAS was patched on September 28, 2016 and released. The original release announcement is available here.


Modify your CAS overlay to point to version 4.2.6. A snippet of a pom.xml for a CAS overlay follows:



Double check your file for the following setting:

# cas.securityContext.adminpages.ip=127\.0\.0\.1

Make sure the correct IP pattern is authorized to access admin pages.


If you are unable to apply the patch, it’s then best to ensure the outlined endpoints are blocked completely via load balancers, proxies, firewalls, etc.


If you have questions on the details this vulnerability and how it might be reproduced, please contact or


Related Posts

CAS 5.3.0 RC3 Feature Release which I present an overview of CAS 5.3.0 RC3 release.

Apereo CAS - REFEDS MFA Profile with shib-cas-authn3

An overview of the shib-cas-authn3 project and its support for the REFEDS MFA profile with both the Shibboleth Identity Provider and Apereo CAS lending a hand.

Forced Authentication with Apereo CAS

Discourse on supporting forced authentication with the Apereo CAS server from the perspective of an application protected with mod-auth-cas, the Apache httpd module for CAS.

Apereo CAS - Dances with Protocols

A short overview of how Apereo CAS may support multiple authentication protocols simultaneously while acting as both the primary identity provider or proxying another. Two Socks could not be reached for comments.

Why does uPortal use Apache 2 license?

Apache2 chose uPortal.

Apereo CAS - Attribute-based Application Authorization

A walkthrough to demonstrate how one might fetch attributes from a number of data sources, turning them into roles that could then be used to enforce application access and authorization.

CAS 5.3.0 RC2 Feature Release which I present an overview of CAS 5.3.0 RC2 release.

CAS 5.2.x Deployment - WAR Overlays

Learn how to configure and build your own CAS deployment via the WAR overlay method, get rich quickly, stay healthy indefinitely and respect family and friends in a few very easy steps.

Link CAS OIDC user to existing Database user

In which we show to link OIDC id to LDAP database user.

CAS Multifactor Authentication with Duo Security

A short walkthrough to demonstrate how one might turn on multifactor authentication with CAS using Duo Security, leveraging a variety of triggers.