1510968 – (CVE-2017-8028) CVE-2017-8028 spring-ldap: Authentication with userSearch and STARTTLS allows authentication with arbitrary password

Bug 1510968 (CVE-2017-8028) - CVE-2017-8028 spring-ldap: Authentication with userSearch and STARTTLS allows authentication with arbitrary password

Summary: CVE-2017-8028 spring-ldap: Authentication with userSearch and STARTTLS allows...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-8028
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1510970 1511429
Blocks:	1510973
TreeView+	depends on / blocked

Reported:	2017-11-08 13:37 UTC by Andrej Nemec
Modified:	2020-12-15 15:29 UTC (History)
CC List:	12 users (show)
Fixed In Version:	spring-ldap 2.3.2
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in spring-ldap that allows an attacker to authenticate with an arbitrary password. When spring-ldap connected to some LDAP servers, when no additional attributes are bound, when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and when setting userSearch, authentication is allowed with an arbitrary password when the username is correct.
Clone Of:
Environment:
Last Closed:	2019-06-08 03:30:49 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:0319	0	normal	SHIPPED_LIVE	Important: Red Hat JBoss Fuse/A-MQ 6.3 R6 security and bug fix update	2018-02-15 00:29:46 UTC

Description Andrej Nemec 2017-11-08 13:37:45 UTC

When connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. This occurs because some LDAP vendors require an explicit operation for the LDAP bind to take effect.

References:

https://pivotal.io/security/cve-2017-8028

Upstream issue:

https://github.com/spring-projects/spring-ldap/issues/430

Comment 1 Andrej Nemec 2017-11-08 13:38:06 UTC

Created spring-ldap tracking bugs for this issue:

Affects: fedora-all [bug 1510970]

Comment 5 Siddharth Sharma 2017-11-20 03:20:56 UTC

Analysis:

Red Hat Gluster Storage 3 ships rhevm-dependencies which contains affected code but instead of DefaultTlsDirContextAuthenticationStrategy code uses SimpleDirContextAuthenticationStrategy. Impact of this flaw is low for Red Hat Gluster Storage 3.

Comment 7 errata-xmlrpc 2018-02-14 19:30:18 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:0319 https://access.redhat.com/errata/RHSA-2018:0319

Note You need to log in before you can comment on or make changes to this bug.