CAS Vulnerability Disclosure


Overview

This is the initial version of an Apereo CAS project vulnerability disclosure, describing an issue in CAS that affects surrogate authentication and impersonation.

This post will be updated with additional details once the grace period has passed.

Affected Deployments

The attack vector applies to deployments of the CAS server for the following versions:

- 5.3.x
- 6.0.x
- 6.1.x

Severity

Details will be posted here publicly once the grace period has passed.

It is recommended that upgrades be carried out to removes any chances of security breaches.

Patching

Patch releases are available to address CAS deployments. Upgrades to the next patch version for each release should be a drop-in replacement.

Timeline

The issue was originally reported to the CAS application security team on December 18th, 2019 and upon confirmation, CAS was patched on December 20th.

Procedure

5.3.x

Modify your CAS overlay to point to version 5.3.15. A snippet of a pom.xml for a CAS overlay follows:

<properties>
    <cas.version>5.3.15</cas.version>
</properties>

6.0.x

Modify your CAS overlay to point to the version 6.0.8. A snippet of a gradle.properties for a CAS overlay follows:

cas.version=6.0.8

6.1.x

Modify your CAS overlay to point to the version 6.1.3. A snippet of a gradle.properties for a CAS overlay follows:

cas.version=6.1.3

6.2.x

Modify your CAS overlay to point to the version 6.2.0-RC2, when released. A snippet of a gradle.properties for a CAS overlay follows:

cas.version=6.2.0-RC2

Support

CAS is Apache v2 open source software under the sponsorship of the Apereo Foundation, supported by community volunteers and enthusiasts. Support options may be found here.

Resources

On behalf of the CAS Application Security working group,

Misagh Moayyed

Related Posts

CAS 6.2.0 RC3 Feature Release

...in which I present an overview of CAS 6.2.0 RC3 release.

Checking Out Pull Requests Locally

Check out GitHub pull requests as local branches using a simple bash function.

CAS 6.2.0 RC2 Feature Release

...in which I present an overview of CAS 6.2.0 RC2 release.

Apereo CAS - Authentication Handler Resolution

Learn how to resolve and select authentication handlers based on configurable and flexible filtering criteria.

Apereo CAS - SAML2 Metadata Overrides

Learn how to manage SAML2 service provider registrations in CAS and override metadata artifacts on a per-application basis.

Apereo CAS - Managing Configuration Metadata

Learn how to manage CAS configuration and properties using Spring Boot Configuration metadata.

CAS 6.2.0 RC1 Feature Release

...in which I present an overview of CAS 6.2.0 RC1 release.

Apereo CAS - Deployment Using systemd

Fabio Martelli of Tirasa S.r.l reviews the setup required to deploy Apereo CAS as a system service using systemd.

Apereo CAS - Python Locust Load Testing

Learn to Performance Test Apereo CAS with Python Locust.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.