[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17642921#comment-17642921 ] Bryan Pendleton commented on DERBY-7147: Perhaps we can proceed with what we have now, and in a separate Jira we could log the enhancement to have our documentation provide thorough details about how to integrate Derby with LDAP using ldaps: protocol. > LDAP injection vulnerability in LDAPAuthenticationImpl > -- > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Attachments: derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17642879#comment-17642879 ] Bryan Pendleton commented on DERBY-7147: Actually, I think I did my ldaps test incorrectly. Configuring ldaps works, but it is a lot more complex (see [https://directory.apache.org/apacheds/basic-ug/3.3-enabling-ssl.html#other-clients-java-programs-using-jndi)] for all the details. Derby has to have the right keystore to trust the self-signed certificate supplied by ApacheDS. Do you think this is important for us to document? If so, we'll probably need a fair bit more documentation to work out the specifics. > LDAP injection vulnerability in LDAPAuthenticationImpl > -- > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Attachments: derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationImpl
[
https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17642863#comment-17642863
]
Richard N. Hillegas commented on DERBY-7147:
Thanks for that feedback, Bryan. Attaching
derby-7147-03-ab-updateLDAPinstructions.diff and a corresponding tarball of
generated output. This patch improves the wording of the boot instructions, as
you recommended. Thanks for verifying that the ldaps protocol works.
I will commit this patch in a couple days if there are no more comments.
Touches the same files:
{noformat}
M src/security/cseccsecure863446.dita
Changes to the "Setting up Derby to use your LDAP directory service" section.
M src/security/csecldapbooting.dita
Changes to the "Booting an LDAP server" section.
{noformat}
> LDAP injection vulnerability in LDAPAuthenticationImpl
> --
>
> Key: DERBY-7147
> URL: https://issues.apache.org/jira/browse/DERBY-7147
> Project: Derby
> Issue Type: Bug
> Components: JDBC
>Affects Versions: 10.16.1.1
>Reporter: Richard N. Hillegas
>Assignee: Richard N. Hillegas
>Priority: Major
> Attachments: derby-7147-01-aa-reformatForReadability.diff,
> derby-7147-02-aa-escapeLDAPsearchFilter.diff,
> derby-7147-02-ab-escapeLDAPsearchFilter.diff,
> derby-7147-03-aa-updateLDAPinstructions.diff,
> derby-7147-03-aa-updateLDAPinstructions.tar,
> derby-7147-03-ab-updateLDAPinstructions.diff,
> derby-7147-03-ab-updateLDAPinstructions.tar
>
>
> An LDAP injection vulnerability has been identified in
> LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been
> provided, but there is a possibility that an intruder could bypass
> authentication checks in Derby-powered applications which rely on external
> LDAP servers.
> For more information on LDAP injection, see
> https://www.synopsys.com/glossary/what-is-ldap-injection.html
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Richard N. Hillegas updated DERBY-7147: --- Attachment: derby-7147-03-ab-updateLDAPinstructions.diff > LDAP injection vulnerability in LDAPAuthenticationImpl > -- > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Attachments: derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.diff, > derby-7147-03-ab-updateLDAPinstructions.tar > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Richard N. Hillegas updated DERBY-7147: --- Attachment: derby-7147-03-ab-updateLDAPinstructions.tar > LDAP injection vulnerability in LDAPAuthenticationImpl > -- > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Attachments: derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar, > derby-7147-03-ab-updateLDAPinstructions.tar > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationImpl
[ https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17642851#comment-17642851 ] Bryan Pendleton commented on DERBY-7147: Those documentation updates seem like good improvements to me. For csecldapbooting.dita, you could possibly change 'Boot ApacheDS via the following command' to something like 'Boot ApacheDS. On Linux, for example, run the following command' since I believe the precise instructions vary by platform. The 'ldaps' worked fine for me in my toy example, and I have no reason to believe it wouldn't work else. I unfortunately have no input on your much harder second question. > LDAP injection vulnerability in LDAPAuthenticationImpl > -- > > Key: DERBY-7147 > URL: https://issues.apache.org/jira/browse/DERBY-7147 > Project: Derby > Issue Type: Bug > Components: JDBC >Affects Versions: 10.16.1.1 >Reporter: Richard N. Hillegas >Assignee: Richard N. Hillegas >Priority: Major > Attachments: derby-7147-01-aa-reformatForReadability.diff, > derby-7147-02-aa-escapeLDAPsearchFilter.diff, > derby-7147-02-ab-escapeLDAPsearchFilter.diff, > derby-7147-03-aa-updateLDAPinstructions.diff, > derby-7147-03-aa-updateLDAPinstructions.tar > > > An LDAP injection vulnerability has been identified in > LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been > provided, but there is a possibility that an intruder could bypass > authentication checks in Derby-powered applications which rely on external > LDAP servers. > For more information on LDAP injection, see > https://www.synopsys.com/glossary/what-is-ldap-injection.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
