uPortal 2016-11-14 Webproxy Portlet caching vulnerability


This is a public disclosure of a security vulnerability, near the tail end of applying the uPortal Security Incident Response Plan to this issue.

Affected software products:

  • Webproxy Portlet , versions 2.0.0 through 2.2.1 . 2.2.2 includes a fix.

Recent uPortal versions ship with bugged Webproxy Portlet versions.

Problem:

Affected versions

  • By default, cache proxied content, and
  • Require a source code edit to turn off this default behavior, and
  • Improperly compute the cache keys such that in some cases too little information is considered in computing cache keys.

Consequence:

  • Most adopters will not have locally turned off this caching strategy even if it is inappropriate for local usages, and
  • Usages where different users proxy the same backing URL may yield improper cross-user cache hits, with user B seeing content proxied for user A.

Saving graces:

  • For security purposes, this only matters if the proxies are interesting, providing personalized content.
  • Usages with unique URLs, such as where user attributes are conveyed as request parameters in the URL or the initial request in a typical Proxy CAS integration, will not yield improper cache hits.

Solutions:

  • Upgrade to Webproxy Portlet version 2.2.2 or later.
  • Locally modify your Webproxy Portlet 2 implementation to turn off caching, by de-activating or removing CachingHttpContentServiceImpl and instead activating HttpContentServiceImpl.

-Andrew

Related Posts

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Spring Framework RCE Vulnerability Disclosure

Disclosure of the Spring framework RCE security issue with the Apereo CAS software.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS Log4J Vulnerability Disclosure

Disclosure of a security issue with the CAS software as a consumer of the Log4j logging framework.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

Publish Private CAS Releases

GitHub Actions workflows allow publishing to private repositories.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.