Security Advisory

OpenDJ Security Advisory #201703

Last updated Jul 9, 2018

Two security vulnerabilities have been discovered in OpenDJ versions 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 3.0.0, 3.5.0 and 3.5.1. These versions of OpenDJ are embedded in OpenAM 11.x, 12.x, 13.0.0 and 13.5.0.


7 readers recommend this article

April 21, 2017

Two security vulnerabilities have been discovered in OpenDJ versions 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 3.0.0, 3.5.0 and 3.5.1. These versions of OpenDJ are embedded in OpenAM 11.x, 12.x, 13.0.0 and 13.5.0.

This advisory provides guidance on how to ensure your deployments can be secured. Patches are available for the issues, which are included in the OpenDJ 3.5.2 maintenance release and in the ForgeRock Directory Services 5.0 release (based on OpenDJ 4.0.0).

The severity of the issues in this advisory is Medium. Deployers should take steps as outlined in this advisory and apply the relevant updates at the earliest opportunity.

The recommendation is to deploy the relevant patch or to upgrade to a release that contains the patch.  

The patches fixing all OpenDJ security advisories are available to customers for OpenDJ 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 3.0.0, 3.5.0 and 3.5.1 from BackStage. Customers with other deployed patches should contact the support organization to obtain an updated patch.

Issue #201703-01: Bind Request trace logging shows plaintext password

Product OpenDJ
Affected versions 3.0.0, 3.5.0, 3.5.1
Fixed versions OpenDJ 3.5.2 and DS 5
Component Client Library
Severity Medium

Description:

The OpenDJ Client Library contains optional tracing messages to troubleshoot LDAP/LDAPS operations. When tracing is enabled, if the application perform a Simple Bind Request (a password based LDAP authentication), the password will be printed in the clear as part of the trace.

Workaround:

Do not enable tracing in client applications, especially OpenAM 13.x

Resolution:

Update/upgrade to OpenDJ 3.5.2 when available to ForgeRock Directory Services 5.0 (OpenDJ 4.0.0) or higher, or deploy the relevant patch. If you are using OpenAM 13.x, upgrade to OpenAM 13.5.1 when available, or deploy the relevant patch.

Issue #201703-02: Sending random data to LDAP/LDAPS ports may expose information about the service

Product OpenDJ
Affected versions 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 3.0.0, 3.5.0, 3.5.1
Fixed versions OpenDJ 3.5.2 and DS 5
Component Core Server
Severity Medium

Description:

When the server receives garbage data on the LDAP/LDAPS ports that it cannot decode as a proper LDAP message, it closes the connection. But before doing it, it tries to send an LDAP standard “Notice Of Disconnection” message to the client application. This message contains information about the protocol expected, but also a qualified class name of the application (org.forgerock.opendj.ldap). This information may be used by an attacker to refine his attack since he now knows the implementation of the Directory Server.

Workaround:

Disable sending the notice of disconnection in the relevant connection handlers. For example, the LDAP Connection Handler:

$ ./dsconfig set-connection-handler-prop --handler-name "LDAP Connection Handler" --set send-rejection-notice:false
Note

The send-rejection-notice is an advanced property. If you use dsconfig in interactive mode, you need to start it with the --advanced option.

Resolution:

Update/upgrade to OpenDJ 3.5.2 when available to ForgeRock Directory Services 5.0 (OpenDJ 4.0.0) or higher, or deploy the relevant patch. If you are using OpenAM 13.x, upgrade to OpenAM 13.5.1 when available, or deploy the relevant patch.

See Also

How do I install a DS/OpenDJ patch (All versions) supplied by ForgeRock support?



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...