CAS OpenID Connect Vulnerability Disclosure


Overview

This is the version of an Apereo CAS project vulnerability disclosure, describing an issue in CAS that when it’s acting as an OpenID Connect identity provider. If you are not using CAS as an OpenID Connect Provider, there is nothing to do here. Keep calm and carry on.

For additional details on how security issues, patches and announcements are handled, please read the Apereo CAS project vulnerability disclosure process.

Affected Deployments

The security issue described here, per the CAS maintenance policy, affects the Apereo CAS server for the following versions:

- 6.4.x
- 6.5.x

If your CAS version is not listed above AND is still part of an active maintenance cycle per the CAS maintenance policy, then best effort (analysis or confirmation from reporters/testers) indicates that the version is not affected by this issue. That said, please note that per the project’s Apache2 license, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.. For additional information, please see the project license.

If you or your institution is a member of the Apereo foundation with an active support subscription supporting the CAS project, please contact the CAS subs working group to learn more about this security vulnerability report.

Severity

The underlying issue is related to revoking previously-issued OAuth/OIDC access tokens when an expired or invalid OAuth code is submitted to the CAS server in exchange for an access token. In this scenario, CAS will correctly reject the invalid code but begins to query the ticket registry to find all other access tokens previously issued for the invalid code to revoke those. This could potentially lead to a DDOS attack on any CAS system acting as an OIDC server by providing fake OAuth codes on the /token endpoint.

Timeline

The issue was originally reported on March 2nd, 2022 and upon confirmation, CAS releases were patched on March 5th, 2022 and released on March 6th, 2022.

Patching

Patch releases are available to address CAS deployments. Upgrades to the next patch version for each release should be a drop-in replacement.

Procedure

6.4.x

Modify your CAS overlay to point to the version 6.4.6.1.

6.5.x

Modify your CAS overlay to point to the version 6.5.1.

Support

Apereo CAS is Apache v2 open source software under the sponsorship of the Apereo Foundation, supported by community volunteers and enthusiasts. Support options may be found here.

If you or your institution is a member of the Apereo foundation with an active subscription supporting the CAS project, please contact the CAS subs working group to learn more about this security vulnerability report.

Resources

On behalf of the CAS Application Security working group,

Misagh Moayyed

Related Posts

CAS Spring Framework RCE Vulnerability Disclosure

Disclosure of the Spring framework RCE security issue with the Apereo CAS software.

CAS Log4J Vulnerability Disclosure

Disclosure of a security issue with the CAS software as a consumer of the Log4j logging framework.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

Publish Private CAS Releases

GitHub Actions workflows allow publishing to private repositories.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Multifactor Authentication with U2F and Bypass

A short walkthrough to demonstrate how one might turn on multifactor authentication with CAS using U2F and default bypass rule.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

CAS Release Notes Moved

CAS Release Notes are moved to the CAS site.

CAS 6.2.0 RC5 Feature Release

...in which I present an overview of CAS 6.2.0 RC5 release.