Skip to content

Gluu Server Patches#

oxTrust Unauthorized Access Patch#

May 13, 2019#

Affected versions#

All versions of the Gluu Server

Issue Description#

The following page in oxTrust is not properly protected:

../identity/authentication/finishlogin/

Navigating to this URL directly obtains an unauthorized session for a random user.

Normally, oxAuth sends a request with an authorization code to oxTrust at ../identity/authentication/getauthcode. oxTrust then uses that code to obtain the user's id_token and personal claims, then redirects to ../finishlogin.

Navigating directly to ../finishlogin without meaningful session context caused entryManager to build an objectClass=gluuPerson filter without uid=user_name. This returned all users and created an unauthorized session for the first user on that list.

Fix Description#

The patch below adds two lines to the finishlogin xhtml file to catch null user-id parameters. Once applied, unauthenticated attempts to access this URL will be blocked.

Note

As the administrative portal for your authentication service, we always recommend blocking public access to oxTrust. Learn how in the docs.

Steps to apply fix#

The steps below apply to all affected Gluu Server versions.

Note

A 5-minute maintenance window is needed to apply the fix. Make sure to test and confirm in a non-production environment first. If Gluu helps manage your server(s), please open a ticket to schedule a maintenance window.

  • Back up your Gluu Server -- either a VM snapshot or a tarball of the Gluu Server container.

  • Log into your Gluu Server container:

    • For Centos 6.x, Red Hat 6.x, Ubuntu 14/16, and Debian 8:
    # service gluu-server-3.1.3.1 login
    
    • For Centos 7.x, Red Hat 7.x and Debian 9:
    # /sbin/gluu-serverd-3.1.3.1 login
    
  • Download the patch script:

    wget https://repo.gluu.org/upd/security_patch_identity-2.py
    
  • Run the command:

    chmod +x security_patch_identity-2.py
    
  • Run the command:

    python security_patch_identity-2.py
    
  • Open an incognito window in your browser and attempt to access the affected page: https://{hostname}/identity/authentication/finishlogin . If it results in a blank page, the patch was successful.

Publicly viewable oxTrust pages#

January 30, 2019#

Affected Versions#

Gluu Server 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4

Description#

We discovered the following two pages in oxTrust are not properly protected:

  • ../identity/status/appliance
  • ../identity/configuration/registration

The steps to fix below apply to all affected Gluu Server versions.

Steps to fix#

Note

You will need a 5 minute maintenance window for your /identity endpoint to apply the fix.

Warning

We always recommend testing on a non-production environment first.

  1. Backup your Gluu Server -- either a VM snapshot or a tarball of the gluu-server container. Read the docs

  2. Log into your Gluu Server container.
    For Centos 6.x, Red Hat 6.x, Ubuntu 14/16, and Debian 8: # service gluu-server-3.1.x login

    For Centos 7.x, Red Hat 7.x and Debian 9: # /sbin/gluu-serverd-3.1.x login 

  3. Download the patch script:
    wget https://repo.gluu.org/upd/security_patch_identity.py

  4. Run the command:
    chmod +x security_patch_identity.py

  5. Run the command:
    python security_patch_identity.py

  6. Open an incognito window in your browser and attempt to access the two affected pages. They should now require authentication.

Patch for uploading image/files#

Affected Versions#

  • Gluu Server 3.1.3.1 , 3.1.3

There is a known issue in Gluu 3.1.3.1 that affects file upload feature like Person Import, Organization logo upload.

Below are steps to fix that issue by patching the oxtrust war file.

  1. Login into Gluu container
  2. Save a copy of you actual /opt/gluu/jetty/identity/webapps/identity.war
  3. Move to home directory: #cd
  4. Copy identity.war in the current directory: #cp /opt/gluu/jetty/identity/webapps/identity.war .
  5. Run : #zip -d identity.war WEB-INF/lib/jsf-api-2.2.17.jar
  6. Run : #zip -d identity.war WEB-INF/lib/jsf-impl-2.2.17.jar
  7. Make directory: #mkdir -p WEB-INF/lib
  8. Change directory: #cd WEB-INF/lib
  9. Run: #wget http://repository.jboss.org/nexus/content/groups/public-jboss/com/sun/faces/jsf-api/2.2.16/jsf-api-2.2.16.jar
  10. Run: #wget http://repository.jboss.org/nexus/content/groups/public-jboss/com/sun/faces/jsf-impl/2.2.16/jsf-impl-2.2.16.jar
  11. Run: #jar -uf identity.war WEB-INF/lib/jsf-api-2.2.16.jar
  12. Run: #jar -uf identity.war WEB-INF/lib/jsf-impl-2.2.16.jar
  13. Move back the war file: #cp identity.war /opt/gluu/jetty/identity/webapps/identity.war
  14. Restart identity service: #service identity restart

Code White Patch#

Note

Version 3.1.3.1 comes with the Code White patch already implemented.

August 21, 2018#

Affected versions#

  • All currently supported Gluu versions (2.4.4, 3.x)

Description#

We have discovered a critical vulnerability in the Jboss Richfaces library. All versions of the component Richfaces (including the latest v4.5.17.Final) are affected by the vulnerability, which is an EL injection leading to Remote Code Execution. The CVE assignment to MITRE for it is CVE-2018-12532. The CVE can be seen on the MITRE site as well as NIST.

This vulnerability is basically a bypass of CVE-2015-0279. CVE-2015-0279 hardens the org.richfaces.resource.MediaOutputResource class by blocking expressions containing parantheses. The new vulnerability lies in the fact that EL additionally made use of custom variable mappers internally to resolve the variable name in case it's not found in the main expression, but variable mappers themselves can contain EL code just the same. Variable mappers are implemented through the varMapper field of org.apache.el.MethodExpressionImpl in Tomcat EL API, which Jetty is also using.

The general flow looks like this: the application deserializes the "do" parameter (the 'source') at org.richfaces.resource.ResourceUtils#decodeBytesData, passes the object through some other calls, and eventually calls a MethodExpression.invoke on a field in the object (the 'sink') at org.richfaces.resource.MediaOutputResource#encode. There is however a protection in place restricting deserialization to certain classes, but as the VariableMapperImpl class is also whitelisted there, we then have full control over the varMapper field in the MethodExpressionImpl instance, which essentially means arbitrary EL injection.

As oxTrust/Identity utilizes Jboss Richfaces, this allows an unauthorized user to perform unauthorized Remote Code Execution. Knowing this, we have created a richfaces updater script that removes the affected class from the identity.war file, negating the impact of this vulnerability. That being said, we strongly recommend that oxTrust should not be internet facing.

Steps to Fix#

Note

We strongly recommend backing up your environment before proceeding.

Note

The script will suggest you to restart container after the patching is done. This step can be omitted if steps below were followed to the letter, as stopping and starting particular service ("tomcat" for 2.x and "identity" for 3.x) is enough to apply the changes.

  1. Login to the Gluu Server chroot
  2. Download the security patch richfaces_updater.sh from https://repo.gluu.org/upd/
  3. You can verify the integrity of the file by running sha256sum richfaces_updater.sh and verifying it against the sha256 checksum richfaces_updater.sh.sha256 in https://repo.gluu.org/upd/
  4. Grant richfaces_updater.sh executable privileges
  5. Stop "tomcat"/"identity" services:

    Gluu Server 3.x: [root@localhost ~]# service identity stop
    Gluu Server 2.x: [root@localhost ~]# service tomcat stop
    
  6. Run richfaces_updater.sh

    [root@example ~]# service gluu-server-x.x.x Login
    Welcome to the Gluu Server!
    [root@localhost ~]# chmod +x richfaces_updater.sh 
    [root@localhost ~]# ./richfaces_updater.sh 
    Creating directory /opt/upd
    Verifying archive integrity...  100%   MD5 checksums are OK. All good.
    Uncompressing Gluu Richfaces Updater  100%
    
    Backing up /opt/gluu/jetty/identity/webapps/identity.war to /opt/upd/Thu_Aug_16_20:21:50_2018
    Updating /opt/gluu/jetty/identity/webapps/identity.war
    Deleting old richfaces from identity.war
    deleting: WEB-INF/lib/richfaces-4.5.17.Final.jar
    deleting: WEB-INF/lib/richfaces-core-4.5.17.Final.jar
    deleting: WEB-INF/lib/richfaces-a4j-4.5.17.Final.jar
    Adding latest richfaces to identity.war
    adding: WEB-INF/lib/richfaces-4.5.17-gluu.Final.jar (deflated 20%)
    adding: WEB-INF/lib/richfaces-a4j-4.5.17-gluu.Final.jar (deflated 10%)
    adding: WEB-INF/lib/richfaces-core-4.5.17-gluu.Final.jar (deflated 9%)
    
  7. Start "tomcat"/"identity" services:

    Gluu Server 3.x: [root@localhost ~]# service identity start
    Gluu Server 2.x: [root@localhost ~]# service tomcat start
    

Explanation of Fix#

By following the above instructions, you will replace the old richfaces library in identity.war with a custom fixed version for the Gluu Server. The fix is accomplished by removing the affected (and unused) classes from the vulnerable library, negating the impact of the vulnerabiity.

A backup of your identity.war, before changes, is in the /opt/upd/backup_$TIME_STAMP directory in case you need it.