Blog »

Connect2id server 8.2.1

2020-03-17

This is a security update to the Connect2id server.

Last night a pen test revealed a bug which allowed a particular invalid authorisation request to result in a redirection to the redirect_uri, with the standard error code and message from the failed request appended in the query parameters, without ensuring the validity of the redirect_uri.

The proper OAuth 2.0 action is to not return errors to the client if the redirect_uri and the client_id are invalid. In such cases the Connect2id server outputs a non-redirecting error which should typically be displayed to the end-user.

Deployments are advised to update to prevent untended redirections via the authorisation endpoint.

The latest stable 8.x and 7.x versions were patched up. The 8.x patch also includes other maintenance updates.

The next 9.0 release which was cut out today and its documentation is currently being updated will also include the fix.

The release notes below provide more information.

Download 8.2.1

To download a ZIP package of Connect2id server 8.2.1:

https://connect2id.com/assets/products/server/download/8.2.1/Connect2id-server.zip

SHA-256: 44fc5d5674399f582256fe983c949194e7b5cfe46beb1bbe80052bcb2e3e6a5d

As WAR package only:

https://connect2id.com/assets/products/server/download/8.2.1/c2id.war

SHA-256: 48633ed9c322d1802fa12640b1677976de8cf98bc508339961fb8154818ecab6

Download 7.18.2

To download a ZIP package of Connect2id server 7.18.2:

https://connect2id.com/assets/products/server/download/7.18.2/Connect2id-server.zip

SHA-256: 9725568fc6d934e4a0113a6fbae5780d95757573b2ecddace4ad8afe4a989aad

As WAR package only:

https://connect2id.com/assets/products/server/download/7.18.2/c2id.war

SHA-256: 8d37118f01f16672c598b60d56ceed8a18166007452b2d70a57a07ba81d7053e

Questions?

Contact Connect2id support.

Release notes

8.2.1 (2020-03-17)

Resolved issues

  • Fixes a security bug which caused the Connect2id server to redirect to a supplied invalid redirect_uri in a OAuth 2.0 authorisation request when the request includes a request object that doesn't parse to a valid JWT and the "redirect_uri" is present as top-level parameter. The redirection will occur with the error code and description from the failed request. The correct behaviour is to not redirect back to the client with an error unless the client_id and the redirect_uri are valid. Deployments are advised to update to prevent potential misuse of such redirections (issue server/537).

  • Fixes a bug introduced in Connect2id server 8.1 which prevented output of the "verification" element in the OpenID "claims" authentication parameter output in /authz-sessions/rest/v3/ GET responses. The bug was caused by a faulty consent-all keyword sanitization (issue server/532).

  • Removes an erroneous standard output print (issue server/535).

Dependency changes

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:7.1.1

Release notes

7.18.2 (2020-03-17)

Resolved issues

  • Fixes a security bug which caused the Connect2id server to redirect to a supplied invalid redirect_uri in a OAuth 2.0 authorisation request when the request includes a request object that doesn't parse to a valid JWT and the "redirect_uri" is present as top-level parameter. The redirection will occur with the error code and description from the failed request. The correct behaviour is to not redirect back to the client with an error unless the client_id and the redirect_uri are valid. Deployments are advised to update to prevent potential misuse of such redirections (issue server/537).