Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If the environment is affected, the web service (or less likely UI) can be involved authenticated for an arbitrary user or identifier (which does not have a password set) with no password.  If the WS restricts which users can connect (grouper-ws.properties: ws.client.user.group.name), and all subject IDs and identifiers have a password defined, then this cannot be exploited.

The remediation ensures the WS restricts group, and adds the other subject ids or identifiers with unusable passwords in the grouper_password table.

Test your environments

To test, make a call like this to your WS in all environments (dev/test/prod etc).  Adjust the https, domain name, and context (grouper-ws) to fit your env.  Adjust the “user” and the “password” per the test case.  With curl, if there is no password, just end the username with a colon:    -u 'user:' 

Code Block
curl -X GET -H 'Content-Type: application/json' -u 'user:password' -i 'https://domain.name/grouper-ws/servicesRest/v2_5_000/subjects?wsLiteObjectType=WsRestGetSubjectsLiteRequest&searchString=GrouperSystem'


This is a valid response with 200 code

Code Block
{"WsGetSubjectsResults":{"resultMetadata":

...


{"success":"T","resultCode":"SUCCESS","resultMessage":"Queried 1 subjects"},"responseMetadata":{"serverVersion":"4.0.0","millis":"400"},"wsSubjects":[{"sourceId":"g:isa","success":"T","name":"GrouperSysAdmin","resultCode":"SUCCESS","id":"GrouperSystem"}]}}


Note: You do not have to use curl, you can use any rest client.  You cannot use the grouper client since it requires a password.

...

Username

Password

Expected result

Valid user

Valid password

Valid

Valid user

<none>

Error

Valid user different subject identifier or id

<none>

Error

GrouperSystem

<none>

Error

Invalid user

<none>

Error


Clear your shell history

If you were using curl via commands line, edit or delete the history file (e.g. ~/.bash_history) and log out and log in and type: history    and ensure any passwords are not stored in your OS.


Final data check

Check the usernames in the grouper_password table to ensure that each real password (the_password doesn’t start with xXxXx), has entries for other subject IDs or identifiers (the_password does start with xXxXx which makes the password not work).  For instance if you are using local entities with UUIDs, make sure the group names are listed in the grouper_password table with password that starts with xXxXx.  If you are using your own subject source, see what subject identifiers or ids that source allows.

What is next

When affected people are done with these tests, we will release containers and the CVE to the public.