+++ This bug was initially created as a clone of Bug #735994 +++ Description of problem: Spring Security OpenID support contains a security bug. Version-Release number of selected component (if applicable): Spring Security 2.0.7.RELEASE How reproducible: Always Steps to Reproduce: 1. Secure your application via <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-openid</artifactId> <version>2.0.7.RELEASE</version> </dependency> Actual results: Underlying openid4java (0.9.3) contains a security bug, as reported in http://openid.net/2011/05/05/attribute-exchange-security-alert/ Additional info: Following artifact has fixed security bug, use it instead of dependency defined by Spring Security module. Multiple dependency modifications might be required. <dependency> <groupId>org.openid4java</groupId> <artifactId>openid4java</artifactId> <version>0.9.6</version> </dependency>
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Securing an application in the following way creates a security bug: <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-openid</artifactId> <version>2.0.7.RELEASE</version> </dependency> The workaround for this issue is to use this artifact configuration instead: <dependency> <groupId>org.openid4java</groupId> <artifactId>openid4java</artifactId> <version>0.9.6</version> </dependency>
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -6,7 +6,7 @@ <version>2.0.7.RELEASE</version> </dependency> -The workaround for this issue is to use this artifact configuration instead: +To workaround this issue, use the following configuration alongside the original: <dependency> <groupId>org.openid4java</groupId>
Requires Release_note
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,4 +1,4 @@ -Securing an application in the following way creates a security bug: +Securing an application in the following way creates a security bug by transitively depending an compromised OpenID4Java: <dependency> <groupId>org.springframework.security</groupId>
I excluded openid4java from spring-security-openid artifact in spring-2.5-bom and declared openid4java in the bom file. My sample application works, so there shouldn't be any other dependencies required. http://git.app.eng.bos.redhat.com/?p=wfk/distribution.git;a=commitdiff;h=e34a6ec3a625b56a9505b0691bc6bb026484d7a7
There is a typo in proposed fix, missing closing curly bracket in '<version>${openid4java.version</version>'. Furthermore, the version is updated to 0.9.6, but there are no *.jar files of this version in maven central. There are only *.pom files.
Tomas, that artifact is only POM type. Indeed there is a typo in version :-(
I fixed it. I don't understand why maven build won't fail (or show en error at least) when such a silly mistake is made.
That's because it is a <dependencyManagement>. It fails when somebody imports the bom and tries to get openid4-consumer, because there would be no "${openid4java.version" version. (In reply to comment #17) > I fixed it. I don't understand why maven build won't fail (or show en error > at least) when such a silly mistake is made.
Verified in WFK 2.1.0.CR1.
Hi :) I'm finding it hard to understand how this issue was fixed. Can you please explain what code was modified and what the modified code now does. Thanks, Isaac
Isaac, WFK provides WFK Spring BOMs and specifically for Spring 2.5 BOM we added additional dependency management rule for openId artifact(s) to be at version 0.9.6 and not in 0.9.3, which has got that security issue.
Hey Marek, so this is still a known issue, but with a workaround? Thanks, Isaac
we fixed the pulling of affected dependency. The issue can remain only if user is not importing our WFK Spring 2.5 BOM. But using of that BOM was and is recommended way hot to be aligned with certified dependencies for Spring 2.5.6.
Distributed as a part of WFK 2.1.0.GA release.