[SEC-2500] CVE-2014-0097: LDAP code may be vulnerable to anonymous bind issues with AD - Spring JIRA

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 3.2.1
Fix Version/s: 3.1.6, 3.2.2
Component/s: LDAP
Security Level: Public
Labels:
None

Description

This resolves CVE-2014-0097 which allows a malicious user to impersonate a user with an empty password if ALL of the following hold true:

The application is using ActiveDirectoryLdapAuthenticator
The directory allows anonymous binds (not recommended)

NOTE: This does NOT impact users of LdapAuthenticationProvider or <ldap-authentication-provider>

There is already a check for an empty password when using normal LDAP authentication, but it is in BindAuthenticator, which is not used by ActiveDirectoryLdapAuthenticator. The latter has its own bind method which does not check the password length. If the directory allows anonymous binds (I'm not sure whether this is an issue with AD), then it may incorrectly authenticate a user who supplies an empty password.

The password length check should be moved to AbstractLdapAuthenticationProvide.authenticate.

Attachments

Activity

People

Assignee:: Rob Winch

Reporter:: Luke Taylor

Archiver:: Trevor Marshall

Dates

Created:: 28/Feb/14 9:08 AM

Updated:: 11/Mar/14 1:13 PM

Resolved:: 11/Mar/14 1:12 PM

Archived:: 09/Feb/23 11:20 PM