Stream Security Leaks Information

[Greg Logan]

Hello,

This is the official security notice regarding a security issue recently 

discovered in the stream security module within all versions of Opencast after

release 2.2.0

Description:

   An attacker who obtains the unsigned url of a mediapackage element, and

   knows the key id used for a given url pattern can construct a request

   such that Opencast returns the correct signing key.

Affects:

   This issue affects the stream security module present in Opencast 2.2.0 and

   later.  Adopters who do not make use of the stream security module are

   unaffected.

Details:

   An attacker with the unsigned url of a mediapackage element, and the key id

   used for that element can create an invalid request to access a protected

   file, which causes the stream security module to leak the correct values for

   that user.  The url and key id can be extracted from previously published

   signed urls, even if they are no longer valid.

   This vulnerability does not expose user data, it will only allow unauthorized

   access to the mediacpackage elements themselves.

   This issue has been filed as https://opencast.jira.com/browse/MH-12588

Patching the system:

   Patches for this issue are included in Opencast 2.3.5, and 3.4.  Newer versions

   are unaffected because they will incorporate the patch present in 3.4.

Credits:

This issue was discovered and fixed by Matthias Neugebauer (University of Muenster)