Bug 1728993 (CVE-2019-11272)

Summary: CVE-2019-11272 spring-security-core: mishandling of user passwords allows logging in with a password of NULL
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, chazlett, dbecker, drieden, ggaughan, janstey, jjoyce, jochrist, jschluet, kbasil, lhh, lpeer, mburns, mkolesni, sclewis, scohen, slinaber
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Spring Security in several versions, in the use of plain text passwords using the PlaintextPasswordEncoder. If an application is using an affected version of Spring Security with the PlaintextPasswordEncoder and a user has a null encoded password, an attacker can use this flaw to authenticate using a password of "null."
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-26 16:32:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1728994    

Description Marian Rehak 2019-07-11 07:35:13 UTC 
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

External References:

https://pivotal.io/security/cve-2019-11272
Comment 2 Joshua Padman 2019-07-24 05:03:59 UTC 
Statement:

Red Hat OpenStack Platform's OpenDaylight versions 9 and 10 contain the vulnerable code. However, these OpenDaylight versions were released as technical preview with limited support and will therefore not be updated. Other OpenDaylight versions do not contain the vulnerable library.
Comment 5 Jonathan Christison 2019-10-11 16:28:03 UTC 
Re-scoring lower (5.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L) based on the following information 

* Pivotal mark this as "low" - https://pivotal.io/security/cve-2019-11272
* The application would have to be written in such a way that would permit the transport of null passwords through several methods, which would defy security practices for password handling in applications 

The following have been changed to reflect this: 
AC (L->H): isPasswordValid would have to be passed a null, not using the provided encodePassword method, the documentation states "the encoded password should have previously been generated by encodePassword(String, Object). This method will encode the rawPass (using the optional salt), and then compared it with the presented encPass." 

UI (N->R): Only user accounts with a null password (created incorrectly) would be affected
Comment 7 errata-xmlrpc 2020-03-26 15:47:46 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0

Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983
Comment 8 Product Security DevOps Team 2020-03-26 16:32:25 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11272