CAS Vulnerability Disclosure


Overview

This is the initial version of an Apereo CAS project vulnerability disclosure, describing an issue in CAS that affects the handling of secret keys with Google Authenticator for multifactor authentication.

This post will be updated with additional details once the grace period has passed.

Affected Deployments

The security issue described here, per the CAS maintenance policy, affects the Apereo CAS server for the following versions:

- 5.3.x 
- 6.0.x
- 6.1.x
- 6.2.x

If your CAS version is not listed above and is still part of an active maintenance cycle per the CAS maintenance policy, then best effort (analysis or confirmation from reporters/testers) indicates that the version is not affected by this issue. That said, please note that per the project’s Apache2 license, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.. For additional information, please see the project license.

If you or your institution is a member of the Apereo foundation with an active subscription supporting the CAS project, please contact the CAS subs working group to learn more about this security vulnerability report.

Severity

It is recommended that upgrades be carried out to removes any chances of security breaches. If an upgrade is not possible, we recommend that you carefully review HTTP and access logs to sanitize and scrub details, especially if an external log aggregation tool is in place.

This post will be updated with additional details once the grace period has passed.

Timeline

The issue was originally reported on September 25th, 2020 and upon confirmation, CAS releases were patched and released on October 14th, 2020.

Patching

Patch releases are available to address CAS deployments. Upgrades to the next patch version for each release should be a drop-in replacement.

Procedure

5.3.x

Modify your CAS overlay to point to the version 5.3.16.

6.0.x

EOL. Upgrade your CAS overlay to point to CAS 6.1.7.2.

6.1.x

Modify your CAS overlay to point to the version 6.1.7.2.

6.2.x

Modify your CAS overlay to point to the version 6.2.4.

6.3.x

Modify your CAS overlay to point to the version 6.3.0-RC4 when released.

Support

Apereo CAS is Apache v2 open source software under the sponsorship of the Apereo Foundation, supported by community volunteers and enthusiasts. Support options may be found here.

If you or your institution is a member of the Apereo foundation with an active subscription supporting the CAS project, please contact the CAS subs working group to learn more about this security vulnerability report.

Resources

On behalf of the CAS Application Security working group,

Jérôme LELEU

Related Posts

CAS Multifactor Authentication with U2F and Bypass

A short walkthrough to demonstrate how one might turn on multifactor authentication with CAS using U2F and default bypass rule.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Release Notes Moved

CAS Release Notes are moved to the CAS site.

CAS 6.2.0 RC5 Feature Release

...in which I present an overview of CAS 6.2.0 RC5 release.

CAS 6.2.0 RC4 Feature Release

...in which I present an overview of CAS 6.2.0 RC4 release.

CAS 6.2.0 RC3 Feature Release

...in which I present an overview of CAS 6.2.0 RC3 release.

Apereo CAS - Bootiful CAS Client

Easy to use CAS Client

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

Checking Out Pull Requests Locally

Check out GitHub pull requests as local branches using a simple bash function.

CAS 6.2.0 RC2 Feature Release

...in which I present an overview of CAS 6.2.0 RC2 release.