Mitigate League OAuth2 Server Vulnerability

Mitigate League OAuth2 Server Vulnerability


Nov 23, 2023
by lisan

Actions to take to mitigate CVE-2023-37260 affecting a Concrete CMS dependency

Concrete CMS is a robust content management system that empowers website owners to create and manage digital content effectively. However, like any software, it's crucial to stay vigilant about potential security vulnerabilities. In this blog post, we'll discuss the steps Concrete CMS users need to take to address a vulnerability in one of its dependencies; CVE-2023-37260 describes a high vulnerability associated with League OAuth2 Server version 8.3.2.

We would first like to make it clear that this League OAuth2 Server vulnerability is only an issue for servers which are actively using the Concrete CMS REST API. This means that Concrete CMS users have enabled the API in the Dashboard and have created at least one custom API integration for custom business purposes and/or as an authentication server for another Concrete CMS install.  The vast majority of Concrete sites will not be affected by CVE-2023-37260  because they do not use this feature.

League OAuth 2 Server is an implementation of an OAuth 2.0 authorization server written in PHP. This Concrete CMS dependency’s vulnerability could potentially expose your website to security risks, making it imperative to take corrective action.  Without remediating, servers that pass their keys to the CryptKey constructor as a string instead of a file path will have that key included in a LogicException message if they do not provide a valid pass phrase for the key where required.  

Unfortunately, upgrading to League OAuth2 Server 8.5+, the recommended remediation, is not an option since Concrete CMS 8 and Concrete CMS 9 both support PHP 7, with Concrete CMS 8 also accommodating PHP 5.5.9.  We are aware that PHP below version 8 is EOL. However, Concrete CMS continues to allow its use since many users are using services which backport patches for earlier versions of PHP. See https://www.concretecms.org/about/project-news/security/security-support-concrete-v8x for more information.

While CVE-2023-37260  indicates that the vulnerable League OAuth2 Server versions are 8.3.2 through 8.5.3, the Concrete CMS Chief Product Architect has identified that the League OAuth2 Server fix is also present in League OAuth 2 server 8.4.2 which has a PHP 7 release. 

If you are running Concrete CMS version 9, the recommended solution is to update to version 9.2.2, which now depends on League OAuth 2 Server 8.4.2

For Concrete CMS version 8.5 Users , implementing the fix requires a more manual approach due to PHP compatibility constraints. Follow these steps:

Confirm that your environment is running PHP 7, as this version is compatible with League OAuth2 Server 8.4.2. 

  1. If you are using Composer to manage dependencies, navigate to your project's composer.json file and Specify League OAuth2 Server Version:

  2. Inside the require section, add or update the league/oauth2-server dependency to version 8.4.2:

  3. Save the file.

  4. Run Composer Update.