| Summary: | OpenId Security vulnerability in Spring Security 2.0.7.RELEASE | ||
|---|---|---|---|
| Product: | [Retired] JBoss Enterprise WFK Platform 2 | Reporter: | Karel Piwko <kpiwko> |
| Component: | Spring | Assignee: | Marek Novotny <mnovotny> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Karel Piwko <kpiwko> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 2.0.0.ER2, 2.1.0 | CC: | djorm, irooskov, mnovotny, trepel, vdedik |
| Target Milestone: | CR1 | ||
| Target Release: | 2.1.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause:
OpenID4Java implementation version 0.9.3, which is transitive dependency of Spring Security OpenID implementation contains a security bug.
Consequence:
Users relying Spring Security 2.0.7 get OpenID4Java 0.9.3 with a security bug.
Fix:
Spring 2.5 BOM was modified to override original OpenID4Java version to OpenID4Java 0.9.6.
Result:
Users using Spring 2.5 BOM will get a safe OpenID4Java version.
|
Story Points: | --- |
| Clone Of: | 735994 | Environment: | |
| Last Closed: | 2012-11-30 15:34:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 735994 | ||
| Bug Blocks: | |||
|
Description
Karel Piwko
2012-03-08 09:02:19 UTC
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Securing an application in the following way creates a security bug:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-openid</artifactId>
<version>2.0.7.RELEASE</version>
</dependency>
The workaround for this issue is to use this artifact configuration instead:
<dependency>
<groupId>org.openid4java</groupId>
<artifactId>openid4java</artifactId>
<version>0.9.6</version>
</dependency>
Technical note updated. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Diffed Contents:
@@ -6,7 +6,7 @@
<version>2.0.7.RELEASE</version>
</dependency>
-The workaround for this issue is to use this artifact configuration instead:
+To workaround this issue, use the following configuration alongside the original:
<dependency>
<groupId>org.openid4java</groupId>
Requires Release_note
Technical note updated. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Diffed Contents:
@@ -1,4 +1,4 @@
-Securing an application in the following way creates a security bug:
+Securing an application in the following way creates a security bug by transitively depending an compromised OpenID4Java:
<dependency>
<groupId>org.springframework.security</groupId>
I excluded openid4java from spring-security-openid artifact in spring-2.5-bom and declared openid4java in the bom file. My sample application works, so there shouldn't be any other dependencies required. http://git.app.eng.bos.redhat.com/?p=wfk/distribution.git;a=commitdiff;h=e34a6ec3a625b56a9505b0691bc6bb026484d7a7 There is a typo in proposed fix, missing closing curly bracket in '<version>${openid4java.version</version>'.
Furthermore, the version is updated to 0.9.6, but there are no *.jar files of this version in maven central. There are only *.pom files.
Tomas, that artifact is only POM type. Indeed there is a typo in version :-( I fixed it. I don't understand why maven build won't fail (or show en error at least) when such a silly mistake is made. That's because it is a <dependencyManagement>. It fails when somebody imports the bom and tries to get openid4-consumer, because there would be no "${openid4java.version" version.
(In reply to comment #17)
> I fixed it. I don't understand why maven build won't fail (or show en error
> at least) when such a silly mistake is made.
Verified in WFK 2.1.0.CR1. Hi :) I'm finding it hard to understand how this issue was fixed. Can you please explain what code was modified and what the modified code now does. Thanks, Isaac Isaac, WFK provides WFK Spring BOMs and specifically for Spring 2.5 BOM we added additional dependency management rule for openId artifact(s) to be at version 0.9.6 and not in 0.9.3, which has got that security issue. Hey Marek, so this is still a known issue, but with a workaround? Thanks, Isaac we fixed the pulling of affected dependency. The issue can remain only if user is not importing our WFK Spring 2.5 BOM. But using of that BOM was and is recommended way hot to be aligned with certified dependencies for Spring 2.5.6. Distributed as a part of WFK 2.1.0.GA release. |