[CVE-2018-16153] Opencast publishes global system account credentials

[Greg Logan]

Hello,

This is the official security notice regarding a security issue recently

identified in all versions of Opencast

Description

-------------

Opencast will try to authenticate against any external services listed in a

media package when it is trying to access the files, sending the global system

user's credentials regardless of the target being part of the Opencast cluster

or not.

Affected Versions

-----------------

This affects all current versions of Opencast.

Description

-----------

Opencast nodes communicate via HTTP to access remote files and

services. To ensure no malicious requests can be made, Opencast's

endpoints are protected and need authentication. That is why the system

account's credentials are sent with each internal request.

The problem is that Opencast currently has no way of deciding if a URL's

target is part of the internal Opencast cluster or not. Hence,

ingesting a URL to a foreign system will cause Opencast to send its

credentials to the foreign (and potentially malicious) target.

This issue has been filed at http://opencast.jira.com/browse/MH-13156

Patching the system

-------------------

Patches for this issues are included in Opencast 3.7, and will be included in

Opencast 4.5, 5.2, and 6.0.

Credits:

This issue was discovered by Lars Kiesow at Elan EV, and fixed by Stephen

Marquard at University of Cape Town.