Solr May Handle Roles Incorrectly

[Lars Kiesow]

Hello,
this is the official security notice regarding a security issue
recently discovered in Opencast.

Description:

The Solr index for the search service (back-end e.g. for player and
media module) in some cases returns results that should not be
available to the current user.


Affects:

This issue affects all recent versions of Opencast.


Details:

Solr in some cases returned results that should not be available to
the current user. For example, if `UserX` has the role `ROLE_USER`
and a video should only be available for `ROLE_USER_ADMIN`, `UserX`
can still access it.

This may happen only if the second role starts with the complete
first role. If the rules do not overlap, there should be no problem.


Patching the system:

Patches for this issue are included in Opencast 2.2.4 and 2.3.0.
A patch can also be found at
https://bitbucket.org/opencast-community/matterhorn/pull-requests/1236


Credits:

Thanks to Matthias Neugebauer from the University of Münster for
finding, reporting and fixing the issue.


Best regards,
Lars Kiesow