Jasig Updates uPortal To Tackle Potential Exploit
Jasig has released an update to uPortal to address a vulnerability affecting uPortal 4 and dependent software, such as uMobile and SSP.
uPortal is an open source enterprise portal that's built on Java, XML, JSP, and Java 2 Platform Enterprise Edition (J2EE) technologies, providing a framework for building portals with standards-based integration (including authentication and security applications), single login, and customization.
uPortal 4.0.11.1 addresses a vulnerability in uPortal 4.x that could allow other applications to log in as a user. As Jasig described it: "This is an illicit proxy vulnerability wherein other applications using the same CAS server as the portal may be able to themselves access the portal as the end user, and then are able to do anything the end user would have been able to do through the portal. This is not a privilege escalation vulnerability, in that illicit proxies can illicitly proxy only as users who use CAS to log in to them. They cannot arbitrarily become other users or escalate privileges beyond those of the user as whom they're illicitly accessing the portal."
Jasig indicated that the vulnerability is "very likely" to be exploitable but unlikely to have been exploited so far.
The uPortal 4.0.11.1 update is available now. Complete details on the vulnerability can be found in the latest uPortal release notes, along with links to code.