Bug 1493998 (CVE-2017-14623)
Summary: | CVE-2017-14623 gopkg.in-ldap.v2: Authentication bypass via empty password | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ahardin, aos-bugs, bleanhar, bmontgom, ccoleman, dedgar, dmcphers, eparis, jburrell, jgoulding, jkeck, jokerman, maszulik, mchappel, mfojtik, nstielau, sponnaga |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 03:26:00 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1566145 | ||
Bug Blocks: | 1493999 |
Description
Andrej Nemec
2017-09-21 09:54:11 UTC
Statement: This issues affects the version of go-ldap/ldap with Red Hat OpenShift Container Platform (OCP) 3.11. However OpenShift explicitly checks for blank passwords in order to prevent anonymous LDAP binds. As the OpenShift 3.11 product packages the vulnerable library, it is affected, but is set to wontfix. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. The 'oc cli' in OCP 3.11 and 4.x also contains the vulnerable go-ldap/ldap library. However, while the oc binary does allow anonymous binds any unauthenticated binds are not possible. Hence the oc cli is marked affected (as it includes the library), but is set to wontfix - this may be addressed in a future release. |