Overview

This is the initial version of an Apereo CAS project vulnerability disclosure, describing an issue in CAS deployment that supports accepting X.509 credentials as part of the CAS REST API where the X.509 functionality is configured to handle revocation via LDAP.

If you are not using the X.509 workflow or CAS REST API, there is nothing to do here. Keep calm and carry on.

For additional details on how security issues, patches and announcements are handled, please read the Apereo CAS project vulnerability disclosure process.

Credits

The issue was originally reported by Michael Stepankin, a member of the the GitHub Security Lab team. Michael was also kind enough to supply a fix, which was incorporated into the published releases. Thank you!

Affected Deployments

The security issue described here, per the CAS maintenance policy, affects the Apereo CAS server for the following versions:

- 6.5.x
- 6.6.x

If your CAS version is not listed above AND is still part of an active maintenance cycle per the CAS maintenance policy, then best effort (analysis or confirmation from reporters/testers) indicates that the version is not affected by this issue. That said, please note that per the project’s Apache2 license, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.. For additional information, please see the project license.

If you or your institution is a member of the Apereo foundation with an active support subscription supporting the CAS project, please contact the CAS subs working group to learn more about this security vulnerability report.

Severity

When the CAS REST API is turned on and is configured to accept X.509 credentials and CAS is configured to handle CRL revocation via LDAP, the underlying issue allows an attacker to gain insight into the configuration of the running CAS instance by crafting a special malicious certificate. If Apereo CAS is placed behind a reverse proxy, which checks the validity of certificate, this vulnerability can still be exploited, but an attacker needs to somehow craft a signed and yet malicious certificate.

Timeline

The issue was originally reported on Monday February 21st, 2023 and upon confirmation, CAS releases were patched and published on Monday February 21st, 2023.

Patching

Patch releases are available to address CAS deployments. Upgrades to the next patch version for each release should be a drop-in replacement.

Procedure

6.5.x

Modify your CAS overlay to point to the version 6.5.9.1.

6.6.x

Modify your CAS overlay to point to the version 6.6.6.

Support

Apereo CAS is Apache v2 open source software under the sponsorship of the Apereo Foundation, supported by community volunteers and enthusiasts. Support options may be found here.

If you or your institution is a member of the Apereo foundation with an active subscription supporting the CAS project, please contact the CAS subs working group to learn more about this security vulnerability report.

Resources

• CAS Security Vulnerability Response Model
• CAS Maintenance Policy

On behalf of the CAS Application Security working group,

Misagh Moayyed