24 views
Skip to first unread message
Greg Logan
Jul 14, 2017, 4:10:51 PM7/14/17
to security...@opencast.org
Hello,
this is the official security notice regarding a severe security issue
recently discovered in Opencast 3.0.
Description:
In Opencast 3.0 everyone can get access to the OSGI shell via web
with no authentication required.
Affects:
This issue affects Opencast 3.0
Details:
In Opencast 3.0 everyone can get access to the OSGI shell via web.
No authentication is required. This issue is caused by a bug in
Apache Karaf, a framework used by Opencast:
https://issues.apache.org/jira/browse/KARAF-4993
From what we could determine, the consequences of this issue are
that *all* bundle configurations can be accessed without any form of
authentication.
Note that, in some cases, bundle configurations can include sensitive
information like for example:
- YouTube credentials
- Sakai admin credentials
- Stream security keys
- Mail server credentials
If you already use Opencast 3.0, we recommend to change these
credentials immediately.
From what we could determine, the systems configuration is not
affected by this issue, hence, the Opencast admin and digest user
credentials are not exposed. To be safe, we still recommend to
change these credentials.
Patching the system:
Patches for this issue are included in Opencast 3.1
A patch can also be found at
https://bitbucket.org/opencast-community/matterhorn/pull-requests/1599
If your installation utilizes a reverse-proxy, you can also block
the path /gogo/ in your reverse-proxy as an effective quick-fix.
For that, these configuration snippets may help:
# Nginx
location /gogo {
deny all;
}
# Apache httpd
<Location "/gogo">
Order deny,allow
Deny from all
</Location>
Credits:
this is the official security notice regarding a severe security issue
recently discovered in Opencast 3.0.
Description:
In Opencast 3.0 everyone can get access to the OSGI shell via web
with no authentication required.
Affects:
This issue affects Opencast 3.0
Details:
In Opencast 3.0 everyone can get access to the OSGI shell via web.
No authentication is required. This issue is caused by a bug in
Apache Karaf, a framework used by Opencast:
https://issues.apache.org/jira/browse/KARAF-4993
From what we could determine, the consequences of this issue are
that *all* bundle configurations can be accessed without any form of
authentication.
Note that, in some cases, bundle configurations can include sensitive
information like for example:
- YouTube credentials
- Sakai admin credentials
- Stream security keys
- Mail server credentials
If you already use Opencast 3.0, we recommend to change these
credentials immediately.
From what we could determine, the systems configuration is not
affected by this issue, hence, the Opencast admin and digest user
credentials are not exposed. To be safe, we still recommend to
change these credentials.
Patching the system:
Patches for this issue are included in Opencast 3.1
A patch can also be found at
https://bitbucket.org/opencast-community/matterhorn/pull-requests/1599
If your installation utilizes a reverse-proxy, you can also block
the path /gogo/ in your reverse-proxy as an effective quick-fix.
For that, these configuration snippets may help:
# Nginx
location /gogo {
deny all;
}
# Apache httpd
<Location "/gogo">
Order deny,allow
Deny from all
</Location>
Credits:
This issue was discovered by Lars Kiesow (University of Osnabruck) and was fixed by Waldemar Smirnow (University of Osnabruck)
Reply all
Reply to author
Forward
0 new messages