Bug 1131350 (CVE-2014-4172)

Summary: CVE-2014-4172 cas-client: Bypass of security constraints via URL parameter injection
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bazulay, bdawidow, bmcclain, chazlett, dblechte, ecohen, epp-bugs, fedora, gklein, grocha, hfnukal, idith, iheim, java-sig-commits, jpallich, lsurette, michal.skrivanek, mjc, mweiler, rbalakri, Rhev-m-bugs, theute, yeylon, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cas-client 3.3.2, cas-client-core 3.3.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-22 18:25:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1131351, 1131352, 1131353, 1131354, 1131355, 1131356, 1131371    
Bug Blocks: 1131366    

Description David Jorm 2014-08-19 05:53:16 UTC 
It was found that URL encoding used in the back-channel ticket validation of the JA-SIG CAS client was improper. A remote attacker could exploit this flaw to bypass security constraints by injecting URL parameters.
Comment 1 David Jorm 2014-08-19 05:55:34 UTC 
External References:

https://www.mail-archive.com/cas-user@lists.jasig.org/msg17338.html
Comment 5 David Jorm 2014-08-19 06:20:58 UTC 
Created cas-client tracking bugs for this issue:

Affects: fedora-all [bug 1131371]
Comment 6 Arun Babu Neelicattu 2014-08-20 04:36:58 UTC 
Upstream Issue:

https://issues.jasig.org/browse/CASC-228
Comment 7 Arun Babu Neelicattu 2014-08-20 04:42:13 UTC 
Upstream Commits:

java-cas-client/master
https://github.com/Jasig/java-cas-client/commit/ae37092100c8eaec610dab6d83e5e05a8ee58814
Comment 8 Arun Babu Neelicattu 2014-08-20 05:07:22 UTC 
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/4172.yaml
Comment 9 Fedora Update System 2014-08-30 03:58:52 UTC 
cas-client-3.3.3-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Murray McAllister 2014-09-01 03:29:00 UTC 
As noted in the Debian bug, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718, php-cas 1.3.3 fixed this issue there.

php-pear-CAS 1.3.3 is already in Fedora and EPEL.
Comment 11 Murray McAllister 2014-09-01 03:33:10 UTC 
(In reply to Murray McAllister from comment #10)
> As noted in the Debian bug,
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718, php-cas 1.3.3
> fixed this issue there.
> 
> php-pear-CAS 1.3.3 is already in Fedora and EPEL.

https://github.com/Jasig/phpCAS/blob/master/docs/ChangeLog
Comment 13 errata-xmlrpc 2015-05-14 15:23:13 UTC 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
Comment 14 Kurt Seifried 2016-01-22 18:25:50 UTC 
This issue does not affect JasperReports as used in Red Hat Enterprise Virtualization Manager, marking wontfix.