OpenID Vulnerability Alert

Industry info, happenings near you, and new product integrations. Hosting an event? Invite people here.
Post Reply
10539yutaka
Advanced member
Advanced member
Posts: 114
Joined: Sat Sep 13, 2014 12:45 am
Location: Tokyo
Contact:

OpenID Vulnerability Alert

Post by 10539yutaka »

OpenID Foundation(OpenID Foundation website) have reported that

some OpenID Authentication 2.0 server implementations were found to be vulnerable.
Anyone who implements OP or RP on zimbra server (maybe as server extension) should take a look into the detail in their post below;

Vulnerability Alert – OpenID 2.0 Implementations Vulnerabilities found in some OPs | OpenID
10539yutaka
Advanced member
Advanced member
Posts: 114
Joined: Sat Sep 13, 2014 12:45 am
Location: Tokyo
Contact:

OpenID Vulnerability Alert

Post by 10539yutaka »

The root cause of this is vulnerable implementation of OP side.

So something should be done in OP side eventually.

But in the mean while, there could be some workaround which RP itself can do.

One is stop using private associations and using only shared associations in RP side.
I guess you can do this with zimbraOpenidConsumerStatelessModeEnabled attribute in ZimbraLDAP if you use OpenID Consumer server extension in Zimbra NE package.
(I can only "guess" that because i can not find source code of OpenID Consumer server extension in Zimbra.:p)
jkhondhu@zimbra.com
Zimbra Alumni
Zimbra Alumni
Posts: 4
Joined: Fri Jul 18, 2014 4:45 am

OpenID Vulnerability Alert

Post by jkhondhu@zimbra.com »

https://bugzilla.zimbra.com/show_bug.cgi?id=102276 - OpenID: Unsafe use of a serialized java object [CWE-502]

https://bugzilla.zimbra.com/show_bug.cgi?id=102227 - Patch java.commons.io for security exploit [CWE-502]
sunshinejulie4
Posts: 2
Joined: Sun Jan 14, 2018 3:04 pm

Re: OpenID Vulnerability Alert

Post by sunshinejulie4 »

OpenID has not been working for me for years now
Post Reply