Security Advisory

DS/OpenDJ Security Advisory #201706

Last updated Jul 9, 2018

Security vulnerabilities have been discovered in ForgeRock Directory Services (DS) 5.0, 5.5 and in OpenDJ versions 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 3.0.0, 3.5.0, 3.5.1, 3.5.2. The OpenDJ Community Edition 2.6.4 is also affected.


1 reader recommends this article

November 9, 2017

Security vulnerabilities have been discovered in DS 5.0, 5.5 and in OpenDJ versions 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 3.0.0, 3.5.0, 3.5.1, 3.5.2. The OpenDJ Community Edition 2.6.4 is also affected.

These versions of DS/OpenDJ are embedded in AM 5.0, 5.5 and OpenAM 11.x, 12.x, 13.x, as well. Please see What versions of DS/OpenDJ are compatible with AM/OpenAM? for more information.

This advisory provides guidance on how to ensure your deployments can be secured. Patches are available for the issues, which are included in the DS 5.5 release and in the forthcoming OpenDJ 3.5.3 maintenance release.

The severity of the issues in this advisory is between Low and Medium. Deployers should take steps as outlined in this advisory and apply the relevant updates at the earliest opportunity.

The recommendation for customers is to deploy the relevant patch, upgrade to DS 5.5 or OpenDJ 3.5.3 (when available). See How do I install a DS/OpenDJ patch (All versions) supplied by ForgeRock support? for further information on deploying the patch.

The cumulative patches fixing this and all previous OpenDJ security advisories are available to customers for DS 5.0 and OpenDJ 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 3.0.0, 3.5.0, 3.5.1, 3.5.2 from BackStage.

Note

Customers with existing DS/OpenDJ patches must raise a ticket with ForgeRock support to obtain an updated patch: https://backstage.forgerock.com/support/tickets.

Issue #201706-01: Disk paths may be revealed in operation error messages

Product DS, OpenDJ
Affected versions DS 5.0, OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2
Fixed versions DS 5.5, OpenDJ 3.5.3
Component Core Server
Severity Low

Description:

DS/OpenDJ’s built-in disk space monitor detects when the disk space is full, and blocks write operations. The error responses returned to LDAP or REST clients contain the path to the underlying backend. This information leakage may be useful to an attacker.

Workaround:

None.

Resolution:

Update/upgrade to DS 5.5 or to OpenDJ 3.5.3 when available, or deploy the relevant patch.

Issue #201706-02: SASL security layer may use excessive memory

Product DS, OpenDJ
Affected versions DS 5.0, 5.5, OpenDJ 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, Community Edition 2.6.4, 3.0.0, 3.5.0, 3.5.1, 3.5.2
Fixed versions OpenDJ 3.5.3
Component Core Server
Severity Medium

Description:

The DIGEST-MD5 and GSS-API SASL mechanisms allow for confidentiality and/or integrity protection in the SASL network layer. The SASL client and server negotiate a buffer size to use in this layer, and a malicious client could cause the server to use excessive memory. Confidentiality and integrity protection are not enabled for these mechanisms by default.

Workaround:

Disable the DIGEST-MD5 and GSS-API SASL mechanisms, or at least set their quality-of-protection properties to “none” to prevent security layer negotiation. For example:

$ ./dsconfig set-sasl-mechanism-handler-prop --handler-name DIGEST-MD5 --set quality-of-protection:none

$ ./dsconfig set-sasl-mechanism-handler-prop --handler-name GSS-API --set quality-of-protection:none

TLS is a suitable alternative to the use of SASL security layers.

Resolution:

Update/upgrade to OpenDJ 3.5.3 when available or deploy the relevant patch.

Issue #201706-03: File-Based Audit Logger reveals plaintext passwords

Product DS
Affected versions DS 5.0
Fixed versions DS 5.5
Component Core Server
Severity Medium

Description:

The File-Based Audit Logger will log any plain text passwords received in add or modify operations. This logger is disabled by default.

Workaround:

Do not enable the File-Based Audit Logger. For example:

$ ./dsconfig set-log-publisher-prop --publisher-name File-Based\ Audit\ Logger --set enabled:false

Resolution:

Update/upgrade to DS 5.5, or deploy the relevant patch.

Issue #201706-04: REST interface error pages are vulnerable to XSS

Product DS, OpenDJ
Affected versions DS 5.0, OpenDJ 3.5.0, 3.5.1, 3.5.2
Fixed versions DS 5.5, OpenDJ 3.5.3
Component Core Server
Severity Medium

Description:

HTML error pages returned by the internal DS/OpenDJ REST interface are vulnerable to a reflected XSS attack.

Workaround:

Disable the REST interface. For example:

$ ./dsconfig set-connection-handler-prop --handler-name HTTP\ Connection\ Handler --set enabled:false

$ ./dsconfig set-connection-handler-prop --handler-name HTTPS\ Connection\ Handler --set enabled:false

Resolution:

Update/upgrade to DS 5.5 or to OpenDJ 3.5.3 when available, or deploy the relevant patch.



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...