Bug 1065086 (CVE-2014-0083)

Summary: CVE-2014-0083 rubygem-net-ldap: SSHA passwords generated by the net-ldap Ruby gem use a weak salt
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bdunne, bkabrda, bkearney, chrisw, codehotter, cpelland, dajohnso, dallan, gkotton, jfrey, jomara, jrafanie, jrusnack, katello-bugs, kseifried, lhh, markmc, mmccune, obarenbo, rbryant, rhos-maint, sclewis, xlecauch, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-net-ldap 0.11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-13 21:46:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kurt Seifried 2014-02-13 21:42:46 UTC 
Pierre Carrier of airbnb reports:

The net-ldap gem generates SSHA passwords with a salt value between
"0" and "999", providing slightly less than 10 bits of entropy.

External reference:
https://github.com/ruby-ldap/ruby-net-ldap/blob/master/lib/net/ldap/password.rb
Comment 1 Kurt Seifried 2014-02-13 21:44:33 UTC 
Acknowledgement:

Red Hat would like to thank Pierre Carrier of airbnb for reporting this issue.
Comment 2 Kurt Seifried 2014-02-13 21:45:50 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of rubygem-net-ldap as shipped with Red Hat Subscription Asset Manager, CloudForms Management Engine and Red Hat OpenStack 3 and 4 as they did not include support for the password salting feature.
Comment 3 Ján Rusnačko 2015-05-13 15:57:31 UTC 
Fixed in commit:

https://github.com/ruby-ldap/ruby-net-ldap/commit/b412ca05f6b430eaa1ce97ac95885b4cf187b04a