Apereo CAS 4.X反序列化漏洞应急

# CAS Vulnerability Disclosure Friday, Apr 8, 2016 10 minute read # Remember This post is **NOT** new. I am just collecting it here so it’s publicly available. This was originally published as a secret gist on Github in April 2016. # Overview This is an Apereo CAS project vulnerability disclosure, describing an issue in CAS’s attempts to deserialize objects via the Apache Commons Collections library. # Affected Deployments The attack vector specifically applies to all deployments of CAS `v4.1.x` and `v4.2.x` deployments where the out-of-the-box default configuration of CAS is used for managing object serialization, encryption and signing of data. You are **NOT** affected by this issue, if: - You have deployed a different CAS version, lower than `v4.1.0`. - You have deployed CAS `v4.1.x` or `v4.2.x`, **BUT** you have removed the default CAS configuration for encryption/signing and have regenerated the appropriate settings for your own deployment. Exploiting the vulnerability hinges on getting the JVM to de-serialize Java objects from arbitrary serialized data. If the above conditions describe your deployment, we **STRONGLY** recommend that you take necessary action to patch your deployment based on the below instructions. # Severity This is a very serious issue where successfully exercising this vulnerability allows the adversary to inject arbitrary code. This disclosure is about a specific exploit path involving a bugged version of Apache Commons Collections. This exploit path is only an instance of a larger JVM Java object deserialization security concern. # Patching Patch releases are now available to address CAS `v4.1.x` and `v4.2.x` deployments. Upgrades to the next patch version for each release should be a drop-in replacement, with some effort to appropriately reconfigure CAS encryption/signing settings via the `cas.properties` file.