OpenID Foundation(OpenID Foundation website) have reported that
some OpenID Authentication 2.0 server implementations were found to be vulnerable.
Anyone who implements OP or RP on zimbra server (maybe as server extension) should take a look into the detail in their post below;
Vulnerability Alert – OpenID 2.0 Implementations Vulnerabilities found in some OPs | OpenID
OpenID Vulnerability Alert
-
- Advanced member
- Posts: 114
- Joined: Sat Sep 13, 2014 12:45 am
- Location: Tokyo
- Contact:
-
- Advanced member
- Posts: 114
- Joined: Sat Sep 13, 2014 12:45 am
- Location: Tokyo
- Contact:
OpenID Vulnerability Alert
The root cause of this is vulnerable implementation of OP side.
So something should be done in OP side eventually.
But in the mean while, there could be some workaround which RP itself can do.
One is stop using private associations and using only shared associations in RP side.
I guess you can do this with zimbraOpenidConsumerStatelessModeEnabled attribute in ZimbraLDAP if you use OpenID Consumer server extension in Zimbra NE package.
(I can only "guess" that because i can not find source code of OpenID Consumer server extension in Zimbra.:p)
So something should be done in OP side eventually.
But in the mean while, there could be some workaround which RP itself can do.
One is stop using private associations and using only shared associations in RP side.
I guess you can do this with zimbraOpenidConsumerStatelessModeEnabled attribute in ZimbraLDAP if you use OpenID Consumer server extension in Zimbra NE package.
(I can only "guess" that because i can not find source code of OpenID Consumer server extension in Zimbra.:p)
-
- Zimbra Alumni
- Posts: 4
- Joined: Fri Jul 18, 2014 4:45 am
OpenID Vulnerability Alert
https://bugzilla.zimbra.com/show_bug.cgi?id=102276 - OpenID: Unsafe use of a serialized java object [CWE-502]
https://bugzilla.zimbra.com/show_bug.cgi?id=102227 - Patch java.commons.io for security exploit [CWE-502]
https://bugzilla.zimbra.com/show_bug.cgi?id=102227 - Patch java.commons.io for security exploit [CWE-502]
-
- Posts: 2
- Joined: Sun Jan 14, 2018 3:04 pm
Re: OpenID Vulnerability Alert
OpenID has not been working for me for years now