Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-2500

CVE-2014-0097: LDAP code may be vulnerable to anonymous bind issues with AD

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 3.2.1
    • Fix Version/s: 3.1.6, 3.2.2
    • Component/s: LDAP
    • Security Level: Public
    • Labels:
      None

      Description

      This resolves CVE-2014-0097 which allows a malicious user to impersonate a user with an empty password if ALL of the following hold true:

      • The application is using ActiveDirectoryLdapAuthenticator
      • The directory allows anonymous binds (not recommended)

      NOTE: This does NOT impact users of LdapAuthenticationProvider or <ldap-authentication-provider>

      There is already a check for an empty password when using normal LDAP authentication, but it is in BindAuthenticator, which is not used by ActiveDirectoryLdapAuthenticator. The latter has its own bind method which does not check the password length. If the directory allows anonymous binds (I'm not sure whether this is an issue with AD), then it may incorrectly authenticate a user who supplies an empty password.

      The password length check should be moved to AbstractLdapAuthenticationProvide.authenticate.

        Attachments

          Activity

            People

            • Assignee:
              rwinch Rob Winch
              Reporter:
              luke Luke Taylor
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: