Bug 885569 (CVE-2012-5629)

Summary: CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aneelica, asantos, ccrouch, dbosanac, dmehra, jawilson, jcacek, jlieskov, lgao, mgencur, mjc, myarboro, pcheung, pslavice, rcvalle, security-response-team, sjacobs, spinder, theute
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20130204,reported=20121207,source=customer,cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P,cwe=CWE-20->CWE-305,brms-5/jbosssx=affected,soap-5/jbosssx=affected,soap-4.2/jbosssx=affected,soap-4.3/jbosssx=affected,epp-4/jbosssx=affected,epp-5/jbosssx=affected,jdg-6/picketbox=affected,jon-3.1/jbosssx=notaffected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-20 12:29:22 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 873846, 884927, 893240, 893241, 893242, 893243, 893244, 893245, 893246, 901251, 901323, 903913, 916429, 923779    
Bug Blocks: 885052, 885907, 906153    

Description David Jorm 2012-12-10 00:45:45 EST
The jboss-as-domain-management and jbosssx (now part of PicketLink) modules under default conditions allow users to authenticate with a blank password when LDAP authentication is configured and unauthenticated authentication is supported by the LDAP server. This is in violation of the recommendations of RFC 4513, which states that clients should disallow empty passwords as input to a name/password authentication interface, and not allow the input of an empty password to trigger the selection of the unauthenticated authentication mechanism.
Comment 6 errata-xmlrpc 2013-02-04 18:22:42 EST
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2013:0230 https://rhn.redhat.com/errata/RHSA-2013-0230.html
Comment 7 errata-xmlrpc 2013-02-04 18:23:17 EST
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2013:0229 https://rhn.redhat.com/errata/RHSA-2013-0229.html
Comment 8 errata-xmlrpc 2013-02-04 18:33:12 EST
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5
  JBEAP 6 for RHEL 6

Via RHSA-2013:0231 https://rhn.redhat.com/errata/RHSA-2013-0231.html
Comment 9 errata-xmlrpc 2013-02-04 18:44:35 EST
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.0.1

Via RHSA-2013:0234 https://rhn.redhat.com/errata/RHSA-2013-0234.html
Comment 10 errata-xmlrpc 2013-02-04 18:45:09 EST
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0233 https://rhn.redhat.com/errata/RHSA-2013-0233.html
Comment 11 errata-xmlrpc 2013-02-04 18:45:42 EST
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0232 https://rhn.redhat.com/errata/RHSA-2013-0232.html
Comment 12 errata-xmlrpc 2013-02-11 13:01:01 EST
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 4.3.0 CP10

Via RHSA-2013:0248 https://rhn.redhat.com/errata/RHSA-2013-0248.html
Comment 13 errata-xmlrpc 2013-02-11 13:13:54 EST
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2013:0249 https://rhn.redhat.com/errata/RHSA-2013-0249.html
Comment 14 errata-xmlrpc 2013-03-04 16:01:05 EST
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.1
  JBoss Enterprise Portal Platform 4.3.0 CP07
  JBoss Enterprise Portal Platform 5.2.2
  JBoss Enterprise SOA Platform 4.2.0 CP05
  JBoss Enterprise SOA Platform 4.3.0 CP05

Via RHSA-2013:0586 https://rhn.redhat.com/errata/RHSA-2013-0586.html
Comment 15 errata-xmlrpc 2013-03-20 11:59:45 EDT
This issue has been addressed in following products:

  JBoss Data Grid 6.1.0

Via RHSA-2013:0665 https://rhn.redhat.com/errata/RHSA-2013-0665.html