Overview
This is the initial version of an Apereo CAS project vulnerability disclosure, describing an issue in CAS that affects the handling of user credentials managed by the ticket registry. All ticket registries supported by CAS are impacted by the issue, and specially more so if the ticket registry relies on persistent storage.
This post will be updated with additional details once the grace period has passed.
Affected Deployments
The security issue described here, per the CAS maintenance policy, affects the Apereo CAS server for the following versions:
- 6.1.x
- 6.2.x
If your CAS version is not listed above and is still part of an active maintenance cycle per the CAS maintenance policy, then best effort (analysis or confirmation from reporters/testers) indicates that the version is not affected by this issue. That said, please note that Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.. For additional information, please see the project license.
If you or your institution is a member of the Apereo foundation with an active subscription supporting the CAS project, please contact the CAS application security working group to learn more about this security vulnerability report.
Severity
It is STRONGLY recommended that upgrades be carried out to removes any chances of security breaches.
The problem stems from the fact that user credentials during authentication events are captured and stored alongside the ticket-granting ticket in serialized form, which becomes a problem once the ticket itself is stored in the registry. This issue is masked if the ticket registry of choice does not support persistence (i.e. keeping data only in memory) or if the registry is configured to sign and encrypt data. In either of such scenarios, the impact is lessened although for best results, it would be best to apply the recommended patches outlined below.
Patching
Patch releases are available to address CAS deployments. Upgrades to the next patch version for each release should be a drop-in replacement.
Timeline
The issue was originally reported to the CAS application security team on July 23rd, 2020 and upon confirmation, CAS was patched on July 24th, 2020.
Procedure
6.1.x
Modify your CAS overlay to point to the version 6.1.7.1. A snippet of a gradle.properties for a CAS overlay follows:
cas.version=6.1.7.1
6.2.x
Modify your CAS overlay to point to the version 6.2.1. A snippet of a gradle.properties for a CAS overlay follows:
cas.version=6.2.1
Support
Apereo CAS is Apache v2 open source software under the sponsorship of the Apereo Foundation, supported by community volunteers and enthusiasts. Support options may be found here.
If you or your institution is a member of the Apereo foundation with an active subscription supporting the CAS project, please contact the CAS application security working group to learn more about this security vulnerability report.
Resources
On behalf of the CAS Application Security working group,