OpenID Vulnerability Alert

Industry info, happenings near you, and new product integrations. Hosting an event? Invite people here.
10539yutaka
Advanced member
Advanced member
Posts: 114
Joined: Sat Sep 13, 2014 12:45 am
Location: Tokyo
Contact:

OpenID Vulnerability Alert

Postby 10539yutaka » Mon Aug 26, 2013 3:27 pm

OpenID Foundation(OpenID Foundation website) have reported that

some OpenID Authentication 2.0 server implementations were found to be vulnerable.
Anyone who implements OP or RP on zimbra server (maybe as server extension) should take a look into the detail in their post below;

Vulnerability Alert – OpenID 2.0 Implementations Vulnerabilities found in some OPs | OpenID


10539yutaka
Advanced member
Advanced member
Posts: 114
Joined: Sat Sep 13, 2014 12:45 am
Location: Tokyo
Contact:

OpenID Vulnerability Alert

Postby 10539yutaka » Mon Sep 02, 2013 11:40 am

The root cause of this is vulnerable implementation of OP side.

So something should be done in OP side eventually.

But in the mean while, there could be some workaround which RP itself can do.

One is stop using private associations and using only shared associations in RP side.
I guess you can do this with zimbraOpenidConsumerStatelessModeEnabled attribute in ZimbraLDAP if you use OpenID Consumer server extension in Zimbra NE package.
(I can only "guess" that because i can not find source code of OpenID Consumer server extension in Zimbra.:p)
jkhondhu@zimbra.com
Zimbra Alumni
Zimbra Alumni
Posts: 4
Joined: Fri Jul 18, 2014 4:45 am

OpenID Vulnerability Alert

Postby jkhondhu@zimbra.com » Wed Jan 13, 2016 2:46 pm

https://bugzilla.zimbra.com/show_bug.cgi?id=102276 - OpenID: Unsafe use of a serialized java object [CWE-502]

https://bugzilla.zimbra.com/show_bug.cgi?id=102227 - Patch java.commons.io for security exploit [CWE-502]

Return to “Community News”

Who is online

Users browsing this forum: No registered users and 1 guest