Bug 885569 (CVE-2012-5629) - CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP
Summary: CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-5629
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 885049 (view as bug list)
Depends On: 873846 884927 893240 893241 893242 893243 893244 893245 893246 901251 901323 903913 916429 923779
Blocks: 885052 885907 906153
TreeView+ depends on / blocked
 
Reported: 2012-12-10 05:45 UTC by David Jorm
Modified: 2019-09-29 12:58 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-20 16:29:22 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBPAPP-10546 0 Major Closed CVE-2012-5629 - EAP5 Requires fix 2018-07-19 18:07:08 UTC
Red Hat Issue Tracker JBPAPP-10547 0 Major Resolved CVE-2012-5629 - EAP4 Requires fix 2018-07-19 18:07:08 UTC
Red Hat Issue Tracker JBPAPP-10581 0 Critical Resolved CVE-2012-5629 One-off patch required for EAP/EWP-5.2.0 2018-07-19 18:07:08 UTC
Red Hat Issue Tracker JBPAPP-10582 0 Critical Resolved CVE-2012-5629 One-off patch required for EAP-4.3.0 2018-07-19 18:07:08 UTC
Red Hat Issue Tracker JBPAPP6-1704 0 Blocker Closed The LDAP authentication for realms is accepting empty passwords. 2018-07-19 18:07:08 UTC
Red Hat Issue Tracker JBPAPP6-1791 0 Critical Closed CVE-2012-5629 One-off patch required for EAP-6.0.1 2018-07-19 18:07:08 UTC
Red Hat Product Errata RHSA-2013:0229 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 security update 2013-02-05 04:21:37 UTC
Red Hat Product Errata RHSA-2013:0230 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 security update 2013-02-05 04:21:29 UTC
Red Hat Product Errata RHSA-2013:0231 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 6.0.1 security update 2013-02-05 04:31:47 UTC
Red Hat Product Errata RHSA-2013:0232 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 5.2.0 security update 2013-02-05 04:42:35 UTC
Red Hat Product Errata RHSA-2013:0233 0 normal SHIPPED_LIVE Important: JBoss Enterprise Web Platform 5.2.0 security update 2013-02-05 04:42:31 UTC
Red Hat Product Errata RHSA-2013:0234 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 6.0.1 security update 2013-02-05 04:42:26 UTC
Red Hat Product Errata RHSA-2013:0248 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 4.3.0 CP10 security update 2013-02-11 22:59:06 UTC
Red Hat Product Errata RHSA-2013:0249 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 4.3.0 CP10 security update 2013-02-11 23:11:54 UTC
Red Hat Product Errata RHSA-2013:0586 0 normal SHIPPED_LIVE Important: jbosssx security update 2013-03-05 02:00:14 UTC
Red Hat Product Errata RHSA-2013:0665 0 normal SHIPPED_LIVE Important: JBoss Data Grid 6.1.0 update 2013-03-20 19:58:45 UTC

Description David Jorm 2012-12-10 05:45:45 UTC
The jboss-as-domain-management and jbosssx (now part of PicketLink) modules under default conditions allow users to authenticate with a blank password when LDAP authentication is configured and unauthenticated authentication is supported by the LDAP server. This is in violation of the recommendations of RFC 4513, which states that clients should disallow empty passwords as input to a name/password authentication interface, and not allow the input of an empty password to trigger the selection of the unauthenticated authentication mechanism.

Comment 6 errata-xmlrpc 2013-02-04 23:22:42 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2013:0230 https://rhn.redhat.com/errata/RHSA-2013-0230.html

Comment 7 errata-xmlrpc 2013-02-04 23:23:17 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2013:0229 https://rhn.redhat.com/errata/RHSA-2013-0229.html

Comment 8 errata-xmlrpc 2013-02-04 23:33:12 UTC
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5
  JBEAP 6 for RHEL 6

Via RHSA-2013:0231 https://rhn.redhat.com/errata/RHSA-2013-0231.html

Comment 9 errata-xmlrpc 2013-02-04 23:44:35 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.0.1

Via RHSA-2013:0234 https://rhn.redhat.com/errata/RHSA-2013-0234.html

Comment 10 errata-xmlrpc 2013-02-04 23:45:09 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0233 https://rhn.redhat.com/errata/RHSA-2013-0233.html

Comment 11 errata-xmlrpc 2013-02-04 23:45:42 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0232 https://rhn.redhat.com/errata/RHSA-2013-0232.html

Comment 12 errata-xmlrpc 2013-02-11 18:01:01 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 4.3.0 CP10

Via RHSA-2013:0248 https://rhn.redhat.com/errata/RHSA-2013-0248.html

Comment 13 errata-xmlrpc 2013-02-11 18:13:54 UTC
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2013:0249 https://rhn.redhat.com/errata/RHSA-2013-0249.html

Comment 14 errata-xmlrpc 2013-03-04 21:01:05 UTC
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.1
  JBoss Enterprise Portal Platform 4.3.0 CP07
  JBoss Enterprise Portal Platform 5.2.2
  JBoss Enterprise SOA Platform 4.2.0 CP05
  JBoss Enterprise SOA Platform 4.3.0 CP05

Via RHSA-2013:0586 https://rhn.redhat.com/errata/RHSA-2013-0586.html

Comment 15 errata-xmlrpc 2013-03-20 15:59:45 UTC
This issue has been addressed in following products:

  JBoss Data Grid 6.1.0

Via RHSA-2013:0665 https://rhn.redhat.com/errata/RHSA-2013-0665.html


Note You need to log in before you can comment on or make changes to this bug.