Bug 801304 - OpenId Security vulnerability in Spring Security 2.0.7.RELEASE
OpenId Security vulnerability in Spring Security 2.0.7.RELEASE
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise WFK Platform 2
Classification: JBoss
Component: Spring (Show other bugs)
2.0.0.ER2,2.1.0
Unspecified Unspecified
urgent Severity urgent
: CR1
: 2.1.0
Assigned To: Marek Novotny
Karel Piwko
:
Depends On: 735994
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-08 04:02 EST by Karel Piwko
Modified: 2012-11-30 10:34 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: OpenID4Java implementation version 0.9.3, which is transitive dependency of Spring Security OpenID implementation contains a security bug. Consequence: Users relying Spring Security 2.0.7 get OpenID4Java 0.9.3 with a security bug. Fix: Spring 2.5 BOM was modified to override original OpenID4Java version to OpenID4Java 0.9.6. Result: Users using Spring 2.5 BOM will get a safe OpenID4Java version.
Story Points: ---
Clone Of: 735994
Environment:
Last Closed: 2012-11-30 10:34:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Karel Piwko 2012-03-08 04:02:19 EST
+++ This bug was initially created as a clone of Bug #735994 +++

Description of problem:

Spring Security OpenID support contains a security bug.


Version-Release number of selected component (if applicable):

Spring Security 2.0.7.RELEASE

How reproducible:

Always

Steps to Reproduce:
1. Secure your application via 

<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-openid</artifactId>
  <version>2.0.7.RELEASE</version>
</dependency>
  
Actual results:

Underlying openid4java (0.9.3) contains a security bug, as reported in 
http://openid.net/2011/05/05/attribute-exchange-security-alert/

Additional info:

Following artifact has fixed security bug, use it instead of dependency defined by Spring Security module. Multiple dependency modifications might be required.

<dependency>
  <groupId>org.openid4java</groupId>
  <artifactId>openid4java</artifactId>
  <version>0.9.6</version>
</dependency>
Comment 2 Rebecca Newton 2012-03-12 22:19:09 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Securing an application in the following way creates a security bug:

<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-openid</artifactId>
  <version>2.0.7.RELEASE</version>
</dependency>

The workaround for this issue is to use this artifact configuration instead:

<dependency>
  <groupId>org.openid4java</groupId>
  <artifactId>openid4java</artifactId>
  <version>0.9.6</version>
</dependency>
Comment 3 Rebecca Newton 2012-03-12 22:27:43 EDT
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -6,7 +6,7 @@
   <version>2.0.7.RELEASE</version>
 </dependency>
 
-The workaround for this issue is to use this artifact configuration instead:
+To workaround this issue, use the following configuration alongside the original:
 
 <dependency>
   <groupId>org.openid4java</groupId>
Comment 4 Marius Bogoevici 2012-04-13 00:08:48 EDT
Requires Release_note
Comment 9 Karel Piwko 2012-06-21 10:29:00 EDT
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,4 +1,4 @@
-Securing an application in the following way creates a security bug:
+Securing an application in the following way creates a security bug by transitively depending an compromised OpenID4Java:
 
 <dependency>
   <groupId>org.springframework.security</groupId>
Comment 14 Vaclav Dedik 2012-10-01 08:09:50 EDT
I excluded openid4java from spring-security-openid artifact in spring-2.5-bom and declared openid4java in the bom file. My sample application works, so there shouldn't be any other dependencies required.
http://git.app.eng.bos.redhat.com/?p=wfk/distribution.git;a=commitdiff;h=e34a6ec3a625b56a9505b0691bc6bb026484d7a7
Comment 15 Tomas Repel 2012-10-18 07:29:42 EDT
There is a typo in proposed fix, missing closing curly bracket in '<version>${openid4java.version</version>'.

Furthermore, the version is updated to 0.9.6, but there are no *.jar files of this version in maven central. There are only *.pom files.
Comment 16 Marek Novotny 2012-10-18 07:37:52 EDT
Tomas, that artifact is only POM type. Indeed there is a typo in version :-(
Comment 17 Vaclav Dedik 2012-10-18 07:54:09 EDT
I fixed it. I don't understand why maven build won't fail (or show en error at least) when such a silly mistake is made.
Comment 18 Karel Piwko 2012-10-18 11:26:55 EDT
That's because it is a <dependencyManagement>. It fails when somebody imports the bom and tries to get openid4-consumer, because there would be no "${openid4java.version" version.

(In reply to comment #17)
> I fixed it. I don't understand why maven build won't fail (or show en error
> at least) when such a silly mistake is made.
Comment 20 Tomas Repel 2012-11-12 08:02:30 EST
Verified in WFK 2.1.0.CR1.
Comment 21 Isaac Rooskov 2012-11-14 19:34:36 EST
Hi :) 

I'm finding it hard to understand how this issue was fixed. Can you please explain what code was modified and what the modified code now does. 

Thanks, 

Isaac
Comment 22 Marek Novotny 2012-11-15 02:44:10 EST
Isaac,

 WFK provides WFK Spring BOMs and specifically for Spring 2.5 BOM we added additional dependency management rule for openId artifact(s) to be at version 0.9.6 and not in 0.9.3, which has got that security issue.
Comment 23 Isaac Rooskov 2012-11-15 19:30:05 EST
Hey Marek, 

so this is still a known issue, but with a workaround? 

Thanks, 

Isaac
Comment 24 Marek Novotny 2012-11-16 04:37:09 EST
we fixed the pulling of affected dependency. The issue can remain only if user is not importing our WFK Spring 2.5 BOM. But using of that BOM was and is recommended way hot to be aligned with certified dependencies for Spring 2.5.6.
Comment 25 Karel Piwko 2012-11-30 10:34:43 EST
Distributed as a part of WFK 2.1.0.GA release.

Note You need to log in before you can comment on or make changes to this bug.