[ https://issues.apache.org/jira/browse/CLOUDSTACK-7937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
John Kinsella updated CLOUDSTACK-7937: -------------------------------------- Security: Public (was: Non-Public) > CloudStack accepts unauthenticated LDAP binds > --------------------------------------------- > > Key: CLOUDSTACK-7937 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7937 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Management Server > Reporter: John Kinsella > Assignee: Rajani Karuturi > Priority: Critical > Labels: security > Attachments: > 43-0001-Fixed-CLOUDSTACK-7937-CloudStack-accepts-unauthentic.patch, > 44-0001-Fixed-CLOUDSTACK-7937-CloudStack-accepts-unauthentic.patch > > > Description: > Apache CloudStack may be configured to authenticate LDAP users. When so > configured, it performs a simple LDAP bind with the name and password > provided by a user. Simple LDAP binds are defined with three mechanisms (RFC > 4513): 1) username and password; 2) unauthenticated if only a username is > specified; and 3) anonymous if neither username or password is specified. > Currently, Apache CloudStack does not check if the password was provided > which could allow an attacker to bind as an unauthenticated user. > Mitigation: > This issue has been fixed in CloudStack versions 4.3.2 and 4.4.2. Please > upgrade to the latest version. > By default, many LDAP servers are not configured to allow unauthenticated > binds. If the LDAP server in use allow this behaviour, a potential interim > solution would be to consider disabling unauthenticated binds. > Credit: > This issue was identified by the Citrix Security Team. -- This message was sent by Atlassian JIRA (v6.3.4#6332)