CAS Vulnerability Disclosure


Overview

This is the initial version of an Apereo CAS project vulnerability disclosure, describing an issue in CAS that affects the handling of user credentials managed by the ticket registry. All ticket registries supported by CAS are impacted by the issue, and specially more so if the ticket registry relies on persistent storage.

This post will be updated with additional details once the grace period has passed.

Affected Deployments

The security issue described here, per the CAS maintenance policy, affects the Apereo CAS server for the following versions:

- 6.1.x
- 6.2.x

Severity

It is STRONGLY recommended that upgrades be carried out to removes any chances of security breaches.

Patching

Patch releases are available to address CAS deployments. Upgrades to the next patch version for each release should be a drop-in replacement.

Timeline

The issue was originally reported to the CAS application security team on July 23rd, 2020 and upon confirmation, CAS was patched on July 24th, 2020.

Procedure

6.1.x

Modify your CAS overlay to point to the version 6.1.7.1. A snippet of a gradle.properties for a CAS overlay follows:

cas.version=6.1.7.1

6.2.x

Modify your CAS overlay to point to the version 6.2.1. A snippet of a gradle.properties for a CAS overlay follows:

cas.version=6.2.1

Support

Apereo CAS is Apache v2 open source software under the sponsorship of the Apereo Foundation, supported by community volunteers and enthusiasts. Support options may be found here.

Resources

On behalf of the CAS Application Security working group,

Misagh Moayyed

Related Posts

CAS Release Notes Moved

CAS Release Notes are moved to the CAS site.

CAS 6.2.0 RC5 Feature Release

...in which I present an overview of CAS 6.2.0 RC5 release.

CAS 6.2.0 RC4 Feature Release

...in which I present an overview of CAS 6.2.0 RC4 release.

CAS 6.2.0 RC3 Feature Release

...in which I present an overview of CAS 6.2.0 RC3 release.

Apereo CAS - Bootiful CAS Client

Easy to use CAS Client

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

Checking Out Pull Requests Locally

Check out GitHub pull requests as local branches using a simple bash function.

CAS 6.2.0 RC2 Feature Release

...in which I present an overview of CAS 6.2.0 RC2 release.

Apereo CAS - Authentication Handler Resolution

Learn how to resolve and select authentication handlers based on configurable and flexible filtering criteria.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.