Bug 43845 – Disable UMC security mechanism when upgrading from UCS 4.1

Bug 43845 - Disable UMC security mechanism when upgrading from UCS 4.1


Summary:	Disable UMC security mechanism when upgrading from UCS 4.1

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2
Assigned To:	Florian Best
QA Contact:	Jürn Brodersen

URL:
Keywords:	interim-3

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-03-14 14:03 CET by Florian Best
Modified:	2021-06-23 07:29 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2017050721000149
Bug group (optional):	API change, Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2017-03-14 14:03:00 CET

In UCS 4.2 several new security enforcements are done in UMC which are backwards incompatible due to adding proprietary XSRF-Protection HTTP mechanisms. Bug #39731.

This is incompatible with mixed environments of UCS 4.1, e.g. for the following cases:
* Installing UCS@school
* Joining a Windows Computer in a UCS@school multiserver environment
* using the global App-Center
* writing a exam in UCS@school
* (changing the IP Address of a DC Slave/Memberserver)
* using the Self-Service

Therefore we should disable these security checks for Systems which are upgrading from UCS 4.1.

Comment 1 Florian Best

2017-03-14 14:20:20 CET

univention-management-console (9.0.61-1):
r77689 | Bug #43845: disable security restrictions when upgrading from UCS 4.1

Comment 2 Florian Best

2017-03-24 17:39:18 CET

univention-management-console (9.0.75-1):
r78314 | Bug #43845: fix interted boolean logic

Comment 3 Jürn Brodersen

2017-03-27 15:15:28 CEST

What I tested:
ucr key:
  on updated system:
    umc/server/disable-security-restrictions -> true -> OK
  on fresh install:
    umc/server/disable-security-restrictions -> not set -> OK
curl:
  against fresh installed system (umc/server/disable-security-restrictions unset):
    curl without X-XSRF-Protection -> failed -> OK
    curl with X-XSRF-Protection -> ok -> OK
  against updated system (umc/server/disable-security-restrictions=true):
    curl without X-XSRF-Protection -> ok -> OK
    curl with X-XSRF-Protection -> ok -> OK

Changelog -> not required -> OK

All OK -> Verified

Comment 4 Stefan Gohmann

2017-04-04 18:29:08 CEST

UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".

Comment 5 Jens Thorp-Hansen

2017-05-08 11:44:22 CEST

for findability:

Cross Site Request Forgery attack detected. Please provide the "UMCSessionId"
cookie value as HTTP request header "X-Xsrf-Protection".