[
https://issues.apache.org/jira/browse/CLOUDSTACK-7937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
John Kinsella updated CLOUDSTACK-7937:
--------------------------------------
Security: Public (was: Non-Public)
> CloudStack accepts unauthenticated LDAP binds
> ---------------------------------------------
>
> Key: CLOUDSTACK-7937
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7937
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Management Server
> Reporter: John Kinsella
> Assignee: Rajani Karuturi
> Priority: Critical
> Labels: security
> Attachments:
> 43-0001-Fixed-CLOUDSTACK-7937-CloudStack-accepts-unauthentic.patch,
> 44-0001-Fixed-CLOUDSTACK-7937-CloudStack-accepts-unauthentic.patch
>
>
> Description:
> Apache CloudStack may be configured to authenticate LDAP users. When so
> configured, it performs a simple LDAP bind with the name and password
> provided by a user. Simple LDAP binds are defined with three mechanisms (RFC
> 4513): 1) username and password; 2) unauthenticated if only a username is
> specified; and 3) anonymous if neither username or password is specified.
> Currently, Apache CloudStack does not check if the password was provided
> which could allow an attacker to bind as an unauthenticated user.
> Mitigation:
> This issue has been fixed in CloudStack versions 4.3.2 and 4.4.2. Please
> upgrade to the latest version.
> By default, many LDAP servers are not configured to allow unauthenticated
> binds. If the LDAP server in use allow this behaviour, a potential interim
> solution would be to consider disabling unauthenticated binds.
> Credit:
> This issue was identified by the Citrix Security Team.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
