Bug 885569 - (CVE-2012-5629) CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP
CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20130204,repo...
: Security
: 885049 (view as bug list)
Depends On: 873846 884927 893240 893241 893242 893243 893244 893245 893246 901251 901323 903913 916429 923779
Blocks: 885052 885907 906153
  Show dependency treegraph
 
Reported: 2012-12-10 00:45 EST by David Jorm
Modified: 2014-10-20 20:04 EDT (History)
19 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-20 12:29:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker JBPAPP-10546 Major Closed CVE-2012-5629 - EAP5 Requires fix 2017-01-10 08:33 EST
JBoss Issue Tracker JBPAPP-10547 Major Resolved CVE-2012-5629 - EAP4 Requires fix 2017-01-10 08:33 EST
JBoss Issue Tracker JBPAPP-10581 Critical Resolved CVE-2012-5629 One-off patch required for EAP/EWP-5.2.0 2017-01-10 08:33 EST
JBoss Issue Tracker JBPAPP-10582 Critical Resolved CVE-2012-5629 One-off patch required for EAP-4.3.0 2017-01-10 08:33 EST
JBoss Issue Tracker JBPAPP6-1704 Blocker Closed The LDAP authentication for realms is accepting empty passwords. 2017-01-10 08:33 EST
JBoss Issue Tracker JBPAPP6-1791 Critical Closed CVE-2012-5629 One-off patch required for EAP-6.0.1 2017-01-10 08:33 EST

  None (edit)
Description David Jorm 2012-12-10 00:45:45 EST
The jboss-as-domain-management and jbosssx (now part of PicketLink) modules under default conditions allow users to authenticate with a blank password when LDAP authentication is configured and unauthenticated authentication is supported by the LDAP server. This is in violation of the recommendations of RFC 4513, which states that clients should disallow empty passwords as input to a name/password authentication interface, and not allow the input of an empty password to trigger the selection of the unauthenticated authentication mechanism.
Comment 6 errata-xmlrpc 2013-02-04 18:22:42 EST
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2013:0230 https://rhn.redhat.com/errata/RHSA-2013-0230.html
Comment 7 errata-xmlrpc 2013-02-04 18:23:17 EST
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2013:0229 https://rhn.redhat.com/errata/RHSA-2013-0229.html
Comment 8 errata-xmlrpc 2013-02-04 18:33:12 EST
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5
  JBEAP 6 for RHEL 6

Via RHSA-2013:0231 https://rhn.redhat.com/errata/RHSA-2013-0231.html
Comment 9 errata-xmlrpc 2013-02-04 18:44:35 EST
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.0.1

Via RHSA-2013:0234 https://rhn.redhat.com/errata/RHSA-2013-0234.html
Comment 10 errata-xmlrpc 2013-02-04 18:45:09 EST
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0233 https://rhn.redhat.com/errata/RHSA-2013-0233.html
Comment 11 errata-xmlrpc 2013-02-04 18:45:42 EST
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0232 https://rhn.redhat.com/errata/RHSA-2013-0232.html
Comment 12 errata-xmlrpc 2013-02-11 13:01:01 EST
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 4.3.0 CP10

Via RHSA-2013:0248 https://rhn.redhat.com/errata/RHSA-2013-0248.html
Comment 13 errata-xmlrpc 2013-02-11 13:13:54 EST
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 5

Via RHSA-2013:0249 https://rhn.redhat.com/errata/RHSA-2013-0249.html
Comment 14 errata-xmlrpc 2013-03-04 16:01:05 EST
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.1
  JBoss Enterprise Portal Platform 4.3.0 CP07
  JBoss Enterprise Portal Platform 5.2.2
  JBoss Enterprise SOA Platform 4.2.0 CP05
  JBoss Enterprise SOA Platform 4.3.0 CP05

Via RHSA-2013:0586 https://rhn.redhat.com/errata/RHSA-2013-0586.html
Comment 15 errata-xmlrpc 2013-03-20 11:59:45 EDT
This issue has been addressed in following products:

  JBoss Data Grid 6.1.0

Via RHSA-2013:0665 https://rhn.redhat.com/errata/RHSA-2013-0665.html

Note You need to log in before you can comment on or make changes to this bug.