[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationImpl

Tue, 29 Nov 2022 14:26:08 -0800 


    [ 
https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17640966#comment-17640966
 ] 

Richard N. Hillegas commented on DERBY-7147:
--------------------------------------------

Attaching derby-7147-03-aa-updateLDAPinstructions.diff and a corresponding 
tarball of generated output. This patch updates the security guide based on 
Bryan's experience. I would appreciate your feedback. It would be helpful if 
you could test-drive these instructions to make sure that I haven't garbled 
anything.

In particular, I am concerned about the following points in the "Setting up 
Derby to use your LDAP directory service" section:

1) For the derby.authentication.server setting, I changed the protocol from 
ldap to ldaps. I hope that still works. I removed the line about ldap in the 
last paragraph because I don't think that we should even mention an insecure 
protocol.

2) The list of properties in "Setting up Derby to use your LDAP directory 
service" includes some properties which Bryan's summary doesn't mention: 
derby.authentication.ldap.searchAuthPW, derby.authentication.ldap.searchAuthDN, 
and derby.authentication.ldap.searchFilter. Are these still needed? If so, is 
the example still correct?

Touches the following files:

{noformat}
M       src/security/cseccsecure863446.dita

Changes to the "Setting up Derby to use your LDAP directory service" section.


M       src/security/csecldapbooting.dita

Changes to the "Booting an LDAP server" section.
{noformat}


> LDAP injection vulnerability in LDAPAuthenticationImpl
> ------------------------------------------------------
>
>                 Key: DERBY-7147
>                 URL: https://issues.apache.org/jira/browse/DERBY-7147
>             Project: Derby
>          Issue Type: Bug
>          Components: JDBC
>    Affects Versions: 10.16.1.1
>            Reporter: Richard N. Hillegas
>            Assignee: Richard N. Hillegas
>            Priority: Major
>         Attachments: derby-7147-01-aa-reformatForReadability.diff, 
> derby-7147-02-aa-escapeLDAPsearchFilter.diff, 
> derby-7147-02-ab-escapeLDAPsearchFilter.diff, 
> derby-7147-03-aa-updateLDAPinstructions.diff, 
> derby-7147-03-aa-updateLDAPinstructions.tar
>
>
> An LDAP injection vulnerability has been identified in 
> LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been 
> provided, but there is a possibility that an intruder could bypass 
> authentication checks in Derby-powered applications which rely on external 
> LDAP servers.
> For more information on LDAP injection, see 
> https://www.synopsys.com/glossary/what-is-ldap-injection.html



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to