[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17640966#comment-17640966 ]
Richard N. Hillegas commented on DERBY-7147: -------------------------------------------- Attaching derby-7147-03-aa-updateLDAPinstructions.diff and a corresponding tarball of generated output. This patch updates the security guide based on Bryan's experience. I would appreciate your feedback. It would be helpful if you could test-drive these instructions to make sure that I haven't garbled anything. In particular, I am concerned about the following points in the "Setting up Derby to use your LDAP directory service" section: 1) For the derby.authentication.server setting, I changed the protocol from ldap to ldaps. I hope that still works. I removed the line about ldap in the last paragraph because I don't think that we should even mention an insecure protocol. 2) The list of properties in "Setting up Derby to use your LDAP directory service" includes some properties which Bryan's summary doesn't mention: derby.authentication.ldap.searchAuthPW, derby.authentication.ldap.searchAuthDN, and derby.authentication.ldap.searchFilter. Are these still needed? If so, is the example still correct? Touches the following files: {noformat} M src/security/cseccsecure863446.dita Changes to the "Setting up Derby to use your LDAP directory service" section. M src/security/csecldapbooting.dita Changes to the "Booting an LDAP server" section. {noformat} > LDAP injection vulnerability in LDAPAuthenticationImpl > ------------------------------------------------------ > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC > Affects Versions: 10.16.1.1 > Reporter: Richard N. Hillegas > Assignee: Richard N. Hillegas > Priority: Major > Attachments: derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)