This page is editing restricted to release engineers, uPortal developers, and a few other groups because it is security-related and distributes a security patch file.
Status of this vulnerability
This is a verified vulnerability. This page exists to document how to patch to close this vulnerability in your local uPortal 2.6 environment.
A forthcoming uPortal 2.6.1.1 release will consist of uPortal 2.6.1 with this patch pre-applied. This page exists to allow you to apply this patch before that release is available and to provide an alternative to adopting that release (you may find the patching described here more convenient).
A forthcoming uPortal 2.6.2 release will include this patch alongside other fixes and enhancements.
uPortal 2.6.1 and earlier ships with an HttpProxyServlet implementation that is broken in that it will proxy non-image content. This can result in an illicit proxy through the deployed uPortal that constitutes a serious security vulnerability, potentially making cross-site-scripting attacks including session stealing feasible.
It is important that all uPortal deployments remedy this vulnerability in their local environment.
Comment out or delete outright this servlet's declaration and configuration in your uPortal web.xml and restart Tomcat to remove it from the environment. Ensure that your local web.xml continues to not include this servlet across future deployments (i.e., also fix this in your local source if you might ever re-deploy your uPortal using the build process).
Here's what the relevant portions of your web.xml end up looking like:
Commenting out proxy servlet in web.xml
<servlet><servlet-name>Logout</servlet-name><servlet-class>org.jasig.portal.LogoutServlet</servlet-class><load-on-startup>3</load-on-startup></servlet>
<!-- Uncomment this servlet and the corresponding servlet-mapping if ProxyWriter is enabled in portal.properties
<servlet><servlet-name>HttpProxyServlet</servlet-name><servlet-class>org.jasig.portal.HttpProxyServlet</servlet-class></servlet>
-->
...
<servlet-mapping><servlet-name>Logout</servlet-name><url-pattern>/Logout</url-pattern></servlet-mapping>
<!-- Uncomment this servlet-mapping and the corresponding servlet if ProxyWriter is enabled in portal.properties
<servlet-mapping><servlet-name>HttpProxyServlet</servlet-name><url-pattern>/servlet/ProxyServlet/*</url-pattern></servlet-mapping>
-->
A web.xml with the servlet declaration and mapping commented out is also attached to this page.
Removing this servlet from service in your portal environment is sufficient to block this vulnerability. However, if you may wish to use the servlet in the future, you may wish to also fix the HttpProxyServlet Java class as discussed below.
If you are using HttpProxyServlet
A simple code fix to HttpProxyServlet.java will block this vulnerability. (It's a matter of fixing HttpProxyServlet to have the code execution path it was intended to have. This patch fixes an unfortunate bug.)
You should also fix this in your local source environment so that if you should re-compile or re-deploy uPortal, your environment will include this fix.
Powered by a free Atlassian Confluence Open Source Project License granted to Java Architectures Special Interest Group. Evaluate Confluence today.
