update post

mmoayyed · mmoayyed · commit c0c41ffdd382 · 2024-06-26T09:20:48.000+04:00
diff --git a/_posts/cas/2024-06-19-oidc-vuln.md b/_posts/cas/2024-06-19-oidc-vuln.md
@@ -0,0 +1,69 @@
+---
+layout:     post
+title:      CAS OAuth/OpenID Connect Vulnerability Disclosure
+summary:    Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.
+tags:       [CAS]
+---
+
+# Overview
+
+This is an [Apereo CAS project vulnerability disclosure](https://apereo.github.io/cas/developer/Sec-Vuln-Response.html),
+describing an issue in CAS acting as an OAuth/OpenID Connect provider. If your CAS server is not acting as an OAuth/OpenID Connect provider, there is nothing for you to do here. Keep calm and carry on.
+
+For additional details on how security issues, patches and announcements are handled, please read the [Apereo CAS project vulnerability disclosure](https://apereo.github.io/cas/developer/Sec-Vuln-Response.html) process.
+
+# Credits
+
+This issue was originally reported, researched and tested by Dürr Systems AG. Dürr was kind enough to investigate the issue, offer insight to diagnose the root cause and took steps to verify the fix for various patch releases.
+
+Thank you!
+
+# Affected Deployments
+
+The problem addressed here, [per the CAS maintenance policy](https://apereo.github.io/cas/developer/Maintenance-Policy.html), affects the Apereo CAS server for the following versions:
+
+```
+- 6.6.x
+- 7.0.x
+```
+
+If your CAS version is not listed above **AND** is still part of an active maintenance cycle [per the CAS maintenance policy](https://apereo.github.io/cas/developer/Maintenance-Policy.html), then best effort (analysis or confirmation from reporters/testers) indicates that the version is not affected by this issue. That said, please note that per the project's Apache2 license, *software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied*. For additional information, please [see the project license](https://github.com/apereo/cas/blob/master/LICENSE).
+
+If you or your institution is a member of the Apereo foundation with an active support subscription supporting the CAS project, please [contact the CAS subs working group](https://apereo.github.io/cas/Mailing-Lists.html) to learn more about this security vulnerability report.
+
+# Severity
+
+Details will be made public once the [security grace period](https://apereo.github.io/cas/developer/Sec-Vuln-Response.html) has passed.
+
+# Timeline
+
+The issue was originally reported on June 11th, 2024 and upon confirmation, CAS releases were patched and eventually published on June 19th, 2024 and June 26th, 2024.
+
+# Patching
+
+Patch releases are available to address CAS deployments. Upgrades to the next patch version for each release should be a drop-in replacement.
+
+## Procedure
+
+### 6.6.x
+
+Modify your CAS overlay to point to the version `6.6.15.2`.
+
+### 7.0.x
+
+Modify your CAS overlay to point to the version `7.0.5.1`.
+
+# Support
+
+Apereo CAS is Apache v2 open source software under the sponsorship of the Apereo Foundation. Support options may be [found here](https://apereo.github.io/cas/Support.html).
+
+If you or your institution is a **member** of the Apereo foundation with an **active CAS subscription** supporting the CAS project, please [contact the CAS subs working group](https://apereo.github.io/cas/Mailing-Lists.html) to learn more about this security vulnerability.
+
+# Resources
+
+* [CAS Security Vulnerability Response Model](https://apereo.github.io/cas/developer/Sec-Vuln-Response.html)
+* [CAS Maintenance Policy](https://apereo.github.io/cas/developer/Maintenance-Policy.html)
+
+On behalf of the CAS Application Security working group,
+
+[Misagh Moayyed](https://fawnoos.com)
