CAS Vulnerability Disclosure


Overview

This is the initial version of an Apereo CAS project vulnerability disclosure, describing an issue in CAS that affects multifactor authentication using the mfa-simple mode. All other multifactor authentication integrations are unaffected by this vulnerability.

This post will be updated with additional details once the grace period has passed.

Credits

Special thanks to Pavlos Drandakis, member of the GUnet Identity Team for originally reporting the issue to the CAS application security group as well as preparing and contributing an immediate fix.

Affected Deployments

The attack vector applies to deployments of the CAS server for the following versions:

- 6.0.x
- 6.1.x

Severity

Details will be posted here publicly once the grace period has passed.

Patching

Patch releases are available to address CAS deployments. Upgrades to the next patch version for each release should be a drop-in replacement.

Timeline

The issue was originally reported to the CAS application security team on November 21st, 2019 and upon confirmation, CAS was patched on November 22nd.

Procedure

6.0.x

Modify your CAS overlay to point to the version 6.0.7. A snippet of a gradle.properties for a CAS overlay follows:

cas.version=6.0.7

6.1.x

Modify your CAS overlay to point to the version 6.1.2. A snippet of a gradle.properties for a CAS overlay follows:

cas.version=6.1.2

6.2.x

Modify your CAS overlay to point to the version 6.2.0-RC1. A snippet of a gradle.properties for a CAS overlay follows:

cas.version=6.2.0-RC1

Support

CAS is Apache v2 open source software under the sponsorship of the Apereo Foundation, supported by community volunteers and enthusiasts. Support options may be found here.

Resources

On behalf of the CAS Application Security working group,

Misagh Moayyed

Related Posts

CAS 6.2.0 RC2 Feature Release

...in which I present an overview of CAS 6.2.0 RC2 release.

CAS 6.2.0 RC1 Feature Release

...in which I present an overview of CAS 6.2.0 RC1 release.

Apereo CAS - Deployment Using systemd

Fabio Martelli of Tirasa S.r.l reviews the setup required to deploy Apereo CAS as a system service using systemd.

Apereo CAS - Python Locust Load Testing

Learn to Performance Test Apereo CAS with Python Locust.

Apereo CAS - Google reCAPTCHA Integration

Learn to set up an integration between Apereo CAS and Google reCAPTCHA.

Apereo CAS - JMeter Performance Testing

Learn to Performance Test Apereo CAS.

Apereo CAS - OAuth JWT Access Tokens

Learn to customize Apereo CAS to issue OAuth Access Tokens as JWTs.

CAS 6.2.x Deployment - WAR Overlays

Learn how to configure and build your own CAS deployment via the WAR overlay method, get rich quickly, stay healthy indefinitely and respect family and friends in a few very easy steps.

Apereo CAS 6.2.x - Building CAS Feature Modules

An overview of how various CAS features modules today can be changed and tested from the perspective of a CAS contributor working on the codebase itself to handle a feature request, bug fix, etc.

Apereo CAS - Service Redirection Strategies

Learn to customize Apereo CAS to modify the default strategy used for redirecting the authentication flow back to relying parties.