cloudfoundry/uaa

Spring Security Oauth2 End of Life

Subbu3992 opened this issue · 2 comments

What version of UAA are you running?
75.9.0

How are you deploying the UAA?
I am deploying the UAA

using a bosh release I downloaded from bosh.io
What did you expect to see? What goal are you trying to achieve with the UAA?
Spring Security Oauth2 library removed and consume Spring Security package that provides OAuth 2.0 support.

What did you see instead?
Spring Security Oauth2 = 2.5.1.RELEASE

Notes:
Spring Security OAuth 2.3.x, 2.4.x, 2.5.x - End of Life.[Critical Impact]
OAuth 2.0 Migration Guide - https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/180405539

The labels on this github issue will be updated when the story is started.

Hi @Subbu3992 ,

The status of this library is EOL but we have some others which are also EOL, e.g,. Spring Security SAML, opensaml2 .
The current approach would be to replace this if we have a CVE or security issue reported.

The migration guide - you mentioned - does not cover server implementations, but that is what UAA does. However UAA has got feature like PKCE which were done without such a library. The use of this library did not prevented a sec. issue like : https://github.com/cloudfoundry/uaa/pull/1615/files .

What I would like to answer is, we have to see the cases where we replace existing libraries. If this library has a CVE we have to fork it and fix the issue.