-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds
CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P
Vendors:
The Apache Software Foundation
Citrix, Inc.
Versions Afffected:
Apache CloudStack 4.3, 4.4
Description:
Apache CloudStack may be configured to authenticate LDAP users.
When so configured, it performs a simple LDAP bind with the name
and password provided by a user. Simple LDAP binds are defined
with three mechanisms (RFC 4513): 1) username and password; 2)
unauthenticated if only a username is specified; and 3) anonymous
if neither username or password is specified. Currently, Apache
CloudStack does not check if the password was provided which could
allow an attacker to bind as an unauthenticated user.
Mitigation:
Users of Apache CloudStack 4.4 and derivatives should update to the
latest version (4.4.2)
An updated release for Apache CloudStack 4.3.2 is in testing. Until
that is released, we recommend following the mitigation below:
By default, many LDAP servers are not configured to allow unauthenticated
binds. If the LDAP server in use allow this behaviour, a potential
interim solution would be to consider disabling unauthenticated
binds.
Credit:
This issue was identified by the Citrix Security Team.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCgAGBQJUhgUCAAoJEOom9N0pCN7SOQMQAKyBuhg25u3FcVOU5XMdGGpT
2kSVFoLFR74ObI8bdr3HP+2LdLf/Go9QBBrWlZ034FUj6OV0Ct5o8TNB6AHbv0qF
Ar4N05JoGtPaDCe9sWV/+ykOJH8snQjnYwVFrLZlLw8Y/JUQ+I1yJBksw8a2/hT2
vmYgYiAQyrEMMk4bhBBlEyaJFMhuMtKtgUqLDW8wmlhkt2acZMt/0BKxDwAO8o7m
6ypepPCmkPHUpD50tfcCI+K4ib/C5EOn40n4orM97/JHZLsCyhz5nk36eQMOQQz2
fJlaA04fQSV4Cv7c+S0LPh5e4e6TPSrOW3O4/V2dkjK/GgP8kUoo7ivyjIw6d2oJ
Z5vqqgxrmgwDjH58YfVu3tyVuDlOFTZfCLkhdoXMxHfMLYYKeXkffRli9XabxrE+
AkVoXaQAumf8IzTLVSQztV18jC79kvEeCV0pFYOjb/X/gShemruqmCWVDulj1ax6
tzoP+Bm2mQRyrRClY37R+q3cQ2z6eNAC/vAoYzhYBN1o63MYneLYDADhyE6YIGz0
LTbDDGFn0WVdFDrqworHdYDIMW7HQFMNtsQuueeP7LBldsgyTmjmBMp+S3Tq27UT
RaVgp3n9ZUPdzj/i1vvJBrATKUNmv1GDoy+C1GPNx423nEOe7dFkMJARlcbf5Pml
03DX+ot4Xan0P5HXPT+r
=QqOf
-----END PGP SIGNATURE-----