CVE-2023-28857: 
Java vulnerability analysis and mitigation

Apereo CAS, an open source multilingual single sign-on solution, contains a vulnerability (CVE-2023-28857) in its X509 certificate authentication functionality. When configured to use LDAP server for x509 authentication with a password, the system leaks LDAP credentials when processing certificate revocation lists (CRL). The vulnerability was discovered by Michael Stepankin from GitHub Security Lab and affects versions 6.5.x through 6.6.x, with a fix released in version 6.6.6 (GitHub Advisory, Apereo Advisory).

The vulnerability occurs in the X509CredentialsAuthenticationHandler component when checking certificate revocation. When validating a client certificate, the handler fetches URLs provided in the 'CRL Distribution Points' extension of the certificate. If CAS is configured with LDAP authentication (using cas.authn.x509.ldap.ldap-url and cas.authn.x509.ldap.bind-credential properties), and the certificate contains LDAP URLs in its CRL distribution points, the system uses the same LDAP password for these CRL checks. The vulnerability can be exploited using even untrusted self-signed certificates, as the handler only checks date validity and revocation, but not the signature validity (GitHub Advisory).

An unauthenticated attacker can exploit this vulnerability to leak the password used for LDAP connection configured on the server. This could potentially lead to unauthorized access to the LDAP server and compromise of sensitive authentication data (GitHub Advisory).

The vulnerability has been fixed in Apereo CAS version 6.6.6. Users running affected versions (6.5.x and 6.6.x) should upgrade to version 6.6.6 or later. For version 6.5.x, users should upgrade to version 6.5.9.1. There are no known workarounds for this vulnerability (Apereo Advisory).