Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1510968 - (CVE-2017-8028) CVE-2017-8028 spring-ldap: Authentication with userSearch and STARTTLS allows authentication with arbitrary password
CVE-2017-8028 spring-ldap: Authentication with userSearch and STARTTLS allows...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20171016,repo...
: Security
Depends On: 1510970 1511429
Blocks: 1510973
  Show dependency treegraph
 
Reported: 2017-11-08 08:37 EST by Andrej Nemec
Modified: 2018-02-15 13:16 EST (History)
8 users (show)

See Also:
Fixed In Version: spring-ldap 2.3.2
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in spring-ldap that allows an attacker to authenticate with an arbitrary password. When spring-ldap connected to some LDAP servers, when no additional attributes are bound, when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and when setting userSearch, authentication is allowed with an arbitrary password when the username is correct.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0319 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.3 R6 security and bug fix update 2018-02-14 19:29:46 EST

  None (edit)
Description Andrej Nemec 2017-11-08 08:37:45 EST 
When connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.

References:

https://pivotal.io/security/cve-2017-8028

Upstream issue:

https://github.com/spring-projects/spring-ldap/issues/430
Comment 1 Andrej Nemec 2017-11-08 08:38:06 EST 
Created spring-ldap tracking bugs for this issue:

Affects: fedora-all [bug 1510970]
Comment 5 Siddharth Sharma 2017-11-19 22:20:56 EST 
Analysis:

Red Hat Gluster Storage 3 ships rhevm-dependencies which contains affected code but instead of DefaultTlsDirContextAuthenticationStrategy code uses SimpleDirContextAuthenticationStrategy. Impact of this flaw is low for Red Hat Gluster Storage 3.
Comment 7 errata-xmlrpc 2018-02-14 14:30:18 EST 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:0319 https://access.redhat.com/errata/RHSA-2018:0319
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.