When connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect. References: https://pivotal.io/security/cve-2017-8028 Upstream issue: https://github.com/spring-projects/spring-ldap/issues/430
Created spring-ldap tracking bugs for this issue: Affects: fedora-all [bug 1510970]
Analysis: Red Hat Gluster Storage 3 ships rhevm-dependencies which contains affected code but instead of DefaultTlsDirContextAuthenticationStrategy code uses SimpleDirContextAuthenticationStrategy. Impact of this flaw is low for Red Hat Gluster Storage 3.
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2018:0319 https://access.redhat.com/errata/RHSA-2018:0319