Bug 1510968 (CVE-2017-8028)

Summary: CVE-2017-8028 spring-ldap: Authentication with userSearch and STARTTLS allows authentication with arbitrary password
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, chazlett, drieden, ggaughan, janstey, java-sig-commits, jochrist, puntogil, rcyriac, sisharma, ssaha, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spring-ldap 2.3.2 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in spring-ldap that allows an attacker to authenticate with an arbitrary password. When spring-ldap connected to some LDAP servers, when no additional attributes are bound, when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and when setting userSearch, authentication is allowed with an arbitrary password when the username is correct.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:30:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1510970, 1511429    
Bug Blocks: 1510973    

Description Andrej Nemec 2017-11-08 13:37:45 UTC 
When connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.

References:

https://pivotal.io/security/cve-2017-8028

Upstream issue:

https://github.com/spring-projects/spring-ldap/issues/430
Comment 1 Andrej Nemec 2017-11-08 13:38:06 UTC 
Created spring-ldap tracking bugs for this issue:

Affects: fedora-all [bug 1510970]
Comment 5 Siddharth Sharma 2017-11-20 03:20:56 UTC 
Analysis:

Red Hat Gluster Storage 3 ships rhevm-dependencies which contains affected code but instead of DefaultTlsDirContextAuthenticationStrategy code uses SimpleDirContextAuthenticationStrategy. Impact of this flaw is low for Red Hat Gluster Storage 3.
Comment 7 errata-xmlrpc 2018-02-14 19:30:18 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:0319 https://access.redhat.com/errata/RHSA-2018:0319