Public access may be granted to ingested events without associated access control list
16 views
Skip to first unread message
Lars Kiesow
Sep 3, 2018, 4:12:21 PM9/3/18
to Opencast Security Notices
Hello,
this is the official security notice regarding a security issue
recently discovered in Opencast versions 4.0-4.4 and 5.0.
Tracked as:
CVE-2018-16155
Description:
Using the ingest endpoints, access to ingested events may have been
set to be public if no access control list was provided.
Affects:
This issue affects Opencast versions 4.0-4.4, and 5.0.
Details:
Opencast 4 announced that the default access control list had been
changed to one allowing access to organizational or global
administrators only:
https://docs.opencast.org/r/4.x/admin/releasenotes/#access-control-defaults
However, the ingest service could in some cases have overwritten this
by applying an explicit public access control list during ingest if
no access control list was associated with the event.
Note that if an event is created via the administrative user
interface, it will have an attached access control list, even if the
ingest service is used (e.g. scheduled events). Hence, the problem
is most likely to occur on ad-hoc recordings ingested by external
systems.
Patching the system:
Patches for this issue will be included in Opencast 4.5, and 5.1.
Credits:
This issue was discovered by Dieter Piesch (Universitaet Regensburg)
and fixed by Julian Kniephoff (ELAN e.V.)
Links:
- https://opencast.jira.com/browse/MH-13055
- https://github.com/opencast/opencast/pull/396
- https://github.com/opencast/opencast/pull/397
this is the official security notice regarding a security issue
recently discovered in Opencast versions 4.0-4.4 and 5.0.
Tracked as:
CVE-2018-16155
Description:
Using the ingest endpoints, access to ingested events may have been
set to be public if no access control list was provided.
Affects:
This issue affects Opencast versions 4.0-4.4, and 5.0.
Details:
Opencast 4 announced that the default access control list had been
changed to one allowing access to organizational or global
administrators only:
https://docs.opencast.org/r/4.x/admin/releasenotes/#access-control-defaults
However, the ingest service could in some cases have overwritten this
by applying an explicit public access control list during ingest if
no access control list was associated with the event.
Note that if an event is created via the administrative user
interface, it will have an attached access control list, even if the
ingest service is used (e.g. scheduled events). Hence, the problem
is most likely to occur on ad-hoc recordings ingested by external
systems.
Patching the system:
Patches for this issue will be included in Opencast 4.5, and 5.1.
Credits:
This issue was discovered by Dieter Piesch (Universitaet Regensburg)
and fixed by Julian Kniephoff (ELAN e.V.)
Links:
- https://opencast.jira.com/browse/MH-13055
- https://github.com/opencast/opencast/pull/396
- https://github.com/opencast/opencast/pull/397
Reply all
Reply to author
Forward
0 new messages