[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationImpl

Sun, 04 Dec 2022 08:54:05 -0800 


    [ 
https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17643043#comment-17643043
 ] 

Richard N. Hillegas commented on DERBY-7147:
--------------------------------------------

I think that the LDAP provider should take responsibility for supplying full 
instructions for secure configuration. Anyone who really wants to integrate 
Derby into an LDAP environment will already have a secure LDAP server up and 
running. I don't think that Derby should get too far into the weeds here. I 
recommend committing this patch, maybe with some nod to the complexity of ldaps.

The ldap protocol is good enough for LDAPAuthenticationTest. We could improve 
the header comment on LDAPAuthenticationTest so that it reflects your 
experience configuring a run with ldap.

I may have over-rotated on this issue already. We never field LDAP questions on 
our mailing lists.

-Rick


> LDAP injection vulnerability in LDAPAuthenticationImpl
> ------------------------------------------------------
>
>                 Key: DERBY-7147
>                 URL: https://issues.apache.org/jira/browse/DERBY-7147
>             Project: Derby
>          Issue Type: Bug
>          Components: JDBC
>    Affects Versions: 10.16.1.1
>            Reporter: Richard N. Hillegas
>            Assignee: Richard N. Hillegas
>            Priority: Major
>         Attachments: derby-7147-01-aa-reformatForReadability.diff, 
> derby-7147-02-aa-escapeLDAPsearchFilter.diff, 
> derby-7147-02-ab-escapeLDAPsearchFilter.diff, 
> derby-7147-03-aa-updateLDAPinstructions.diff, 
> derby-7147-03-aa-updateLDAPinstructions.tar, 
> derby-7147-03-ab-updateLDAPinstructions.diff, 
> derby-7147-03-ab-updateLDAPinstructions.tar
>
>
> An LDAP injection vulnerability has been identified in 
> LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been 
> provided, but there is a possibility that an intruder could bypass 
> authentication checks in Derby-powered applications which rely on external 
> LDAP servers.
> For more information on LDAP injection, see 
> https://www.synopsys.com/glossary/what-is-ldap-injection.html



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to