Security Issue in Recording Access Control
36 views
Skip to first unread message
Lars Kiesow
Dec 14, 2015, 9:43:23 AM12/14/15
to security...@opencast.org
Hello,
this is the official security notice regarding a critical security
issue recently discovered in Opencast 2.x
Description:
This issue might allow unauthorized access to private recordings in
Opencast if they are not protected by a series wide access policy.
Affects:
This issue affects all set-ups of Opencast >= 2.0 using the default
workflows.
Details:
The security rules are attached to the media package. During
publication, a new, public media package will be created based on
the original one. Elements included need to be specified in the
`publish-engage` workflow operation.
In the default workflows, the flavor `security/*` containing the
access policies is not included. Consequently, the policies do not
end up in the new media package and their access rules are thus not
honored in the publication.
If no rules at all are found during publication, a fall-back request
is made to the series service. This way, at least the series rules
are applied. The rules for that particular recording, however, are
not.
This does not affect rules added afterwards through the archive.
Patching the system:
Patches for this issue will be included in Opencast 2.0.2 and
Opencast 2.1.0, which will be released in the next days. Patches can
also be found attached to this mail. The updated set of default
workflows can be found in the respective git release branches.
If you are using customized workflows, please make sure that the
access rules are published. Usually, adding the following
configuration to the `publish-engage` operation will suffice:
<configuration
key="download-source-flavors">dublincore/*,security/*</configuration>
Please also ensure that for old recordings with special access
rules, these have been correctly applied to the publication. Please
update the security rules through the archive (admin ui workflow
details) if necessary.
Best regards,
Lars Kiesow
this is the official security notice regarding a critical security
issue recently discovered in Opencast 2.x
Description:
This issue might allow unauthorized access to private recordings in
Opencast if they are not protected by a series wide access policy.
Affects:
This issue affects all set-ups of Opencast >= 2.0 using the default
workflows.
Details:
The security rules are attached to the media package. During
publication, a new, public media package will be created based on
the original one. Elements included need to be specified in the
`publish-engage` workflow operation.
In the default workflows, the flavor `security/*` containing the
access policies is not included. Consequently, the policies do not
end up in the new media package and their access rules are thus not
honored in the publication.
If no rules at all are found during publication, a fall-back request
is made to the series service. This way, at least the series rules
are applied. The rules for that particular recording, however, are
not.
This does not affect rules added afterwards through the archive.
Patching the system:
Patches for this issue will be included in Opencast 2.0.2 and
Opencast 2.1.0, which will be released in the next days. Patches can
also be found attached to this mail. The updated set of default
workflows can be found in the respective git release branches.
If you are using customized workflows, please make sure that the
access rules are published. Usually, adding the following
configuration to the `publish-engage` operation will suffice:
<configuration
key="download-source-flavors">dublincore/*,security/*</configuration>
Please also ensure that for old recordings with special access
rules, these have been correctly applied to the publication. Please
update the security rules through the archive (admin ui workflow
details) if necessary.
Best regards,
Lars Kiesow
Reply all
Reply to author
Forward
0 new messages