Bug 1075302 (CVE-2014-0097)

Summary: CVE-2014-0097 Spring Framework: empty passwords may bypass authentication
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: chazlett, java-sig-commits, msrb, puntogil, vdanen, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spring security 3.2.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-17 20:57:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1075303    
Bug Blocks: 1075304    

Description Murray McAllister 2014-03-12 03:38:40 UTC 
It was found that empty passwords could bypass authentication. From the original advisory:

"The ActiveDirectoryLdapAuthenticator does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password."

This issue affects versions 3.2.0 to 3.2.1, and versions 3.1.0 to 3.1.5.

External References:

http://www.gopivotal.com/security/cve-2014-0097
Comment 1 Murray McAllister 2014-03-12 03:40:52 UTC 
Created springframework-security tracking bugs for this issue:

Affects: fedora-all [bug 1075303]
Comment 2 Chess Hazlett 2014-03-17 20:57:56 UTC 
Statement:

Not Vulnerable. This issue does not affect Spring as shipped with various Red Hat products.