Stream Security Cross-Tenant URL Signing Vulnerability

[Greg Logan]

Hello,

This is the official security notice regarding a security issue recently 

discovered in the stream security module within all recent version of Opencast. 

Description:

  Opencast offers endpoints to sign URLs. Authorised users may use that endpoint

  to sign URLs that belong to any tenant, not just that tenant the users are 

  authorised to work with.

Affects:

  This issue affects all recent versions of Opencast.

Details:

  Authorised users can use the endpoints /api/security/sign and /signing/sign to

  let Opencast sign a URL provided by the user.  Opencast will determine if a URL

  signing key has been configured for a prefix of the provided URL and, if so,

  return the signed URL that has been signed with the configured signing key.  

  The problem is that URL signing keys are not specific to tenants and therefore,

  an authorised user can sign URLs of other tenants.

  This issue has been filed as https://opencast.jira.com/browse/MH-12000

Patching the system:

   Patches for this issue are included in Opencast 2.3.5, and 3.4.  Newer versions

   are unaffected because they will incorporate the patch present in 3.4.

Credits:

This issue was discovered and fixed by Sven Stauber (SWITCH)