[CLOUDSTACK-7937] CloudStack accepts unauthenticated LDAP binds - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: Management Server
Security Level: Public (Anyone can view this level - this is the default.)
Labels:
- security

Cloudstack-CVSS:
7.5

Description

Description:
Apache CloudStack may be configured to authenticate LDAP users. When so configured, it performs a simple LDAP bind with the name and password provided by a user. Simple LDAP binds are defined with three mechanisms (RFC 4513): 1) username and password; 2) unauthenticated if only a username is specified; and 3) anonymous if neither username or password is specified. Currently, Apache CloudStack does not check if the password was provided which could allow an attacker to bind as an unauthenticated user.

Mitigation:
This issue has been fixed in CloudStack versions 4.3.2 and 4.4.2. Please upgrade to the latest version.

By default, many LDAP servers are not configured to allow unauthenticated binds. If the LDAP server in use allow this behaviour, a potential interim solution would be to consider disabling unauthenticated binds.

Credit:
This issue was identified by the Citrix Security Team.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

44-0001-Fixed-CLOUDSTACK-7937-CloudStack-accepts-unauthentic.patch
20/Nov/14 10:57
5 kB
Rajani Karuturi
43-0001-Fixed-CLOUDSTACK-7937-CloudStack-accepts-unauthentic.patch
20/Nov/14 10:39
5 kB
Rajani Karuturi

Activity

People

Assignee:: Rajani Karuturi

Reporter:: John Kinsella

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Due:: 01/Dec/14

Created:: 18/Nov/14 21:33

Updated:: 09/Dec/14 03:28

Resolved:: 20/Nov/14 10:39