CVE-2020-5222

Name of the Vulnerable Software and Affected Versions Opencast versions prior to 7.6 Opencast versions prior to 8.1

Description The issue allows an attacker to gain access to all servers that use the same credentials without needing the credentials, by exploiting a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that if an attacker gets access to a remember-me token for one server, they can use it to access all other servers that allow log-in using the same credentials. The problem is caused by a hard-coded system key in the etc/security/mh default org.xml file, which is used by all Opencast systems.

Recommendations For Opencast versions prior to 7.6, update to Opencast 7.6 to fix the issue. For Opencast versions prior to 8.1, update to Opencast 8.1 to fix the issue. As a temporary workaround for older versions, set a custom key for each server in the etc/security/mh default org.xml file, for example:

<sec:remember-me key="CUSTOM RANDOM KEY" user-service-ref="userDetailsService" />