Portals | News

Jasig Updates uPortal To Tackle Potential Exploit

Jasig has released an update to uPortal to address a vulnerability affecting uPortal 4 and dependent software, such as uMobile and SSP.

uPortal is an open source enterprise portal that's built on Java, XML, JSP, and Java 2 Platform Enterprise Edition (J2EE) technologies, providing a framework for building portals with standards-based integration (including authentication and security applications), single login, and customization.

uPortal addresses a vulnerability in uPortal 4.x that could allow other applications to log in as a user. As Jasig described it: "This is an illicit proxy vulnerability wherein other applications using the same CAS server as the portal may be able to themselves access the portal as the end user, and then are able to do anything the end user would have been able to do through the portal. This is not a privilege escalation vulnerability, in that illicit proxies can illicitly proxy only as users who use CAS to log in to them. They cannot arbitrarily become other users or escalate privileges beyond those of the user as whom they're illicitly accessing the portal."

Jasig indicated that the vulnerability is "very likely" to be exploitable but unlikely to have been exploited so far.

The uPortal update is available now. Complete details on the vulnerability can be found in the latest uPortal release notes, along with links to code.


About the Author

Executive Producer David Nagel heads up the editorial department for 1105 Media's education publications — which include two daily sites, a variety of newsletters and two monthly digital magazines covering technology in both K-12 and higher education.

A 21-year publishing veteran, Nagel has led or contributed to dozens of technology, art and business publications.

He can be reached at dnagel@1105media.com. You can also connect with him on LinkedIn at linkedin.com/profile/view?id=10390192 or follow him on Twitter at @THEJournalDave (K-12) or @CampusTechDave (higher education). A selection of David Nagel's articles can be found on this site.

comments powered by Disqus