How do I check if my OpenDJ 2.6.0, 2.6.1 or 2.6.2 installation is vulnerable to Security Advisory 201504?
The purpose of this article is to provide information on checking if your OpenDJ 2.6.0, 2.6.1 or 2.6.2 installation is vulnerable to Security Advisory 201504. Proxied Authorization can be exploited if a user has been given the necessary privileges (proxied-auth) and access controls as described in the security advisory. This issue can also affect OpenAM when using an embedded or external OpenDJ data store if the applicable changes have been made to OpenDJ to use Proxied Authorization.
Archived
This article has been archived and is no longer maintained by ForgeRock.
Background
You (as a configured Directory Admin) must have manually added the following to an entry in order for this vulnerability to be present:
ds-privilege-name: proxied-authYou are not vulnerable if no people or application entries have the proxied-auth privilege.
Additionally, you would have needed an ACI set to allow the use of the Proxied Authorization control, for example:
aci: (target="ldap:///ou=People,dc=example,dc=com")(targetattr="*||+")(version 3.0; acl "Allow Alice to proxy auth"; allow (proxy) (userdn = "ldap:///uid=alice,ou=People,dc=example,dc=com")Or:
ds-cfg-global-aci: (target="ldap:///ou=People,dc=example,dc=com")(targetattr="*||+")(version 3.0; acl "Allow appacct to proxy auth"; allow (proxy) (userdn = "ldap:///uid=appacct,ou=Applications,dc=example,dc=com")See OpenDJ Security Advisory #201504 and OpenDJ Administration Guide › Configuring Privileges & Access Control for further information.
Checking if any users use Proxied Authorization
Search
You can check to see if any users currently have the proxied-auth privilege using the following search:
$ ./ldapsearch -p [port] -D "cn=Directory Manager" -w [password] --baseDN dc=example,dc=com ds-privilege-name=proxied-auth ds-privilege-name dn: uid=alice,ou=People,dc=example,dc=com ds-privilege-name: proxied-auth dn: uid=appacct,ou=Service Accounts,dc=example,dc=com ds-privilege-name: proxied-authAccess Logs
You can check the OpenDJ access logs for evidence of any proxied authorization.
In this example log, you can see uid=alice has proxied-auth as uid=bob (authzDN="uid=bob,...")
[27/May/2015:17:50:00 -0600] CONNECT conn=2 from=127.0.0.1:55217 to=127.0.0.1:2389 protocol=LDAP [27/May/2015:17:50:00 -0600] BIND REQ conn=2 op=0 msgID=1 version=3 type=SIMPLE dn="uid=alice,ou=People,dc=example,dc=com" [27/May/2015:17:50:00 -0600] BIND RES conn=2 op=0 msgID=1 result=0 authDN="uid=alice,ou=People,dc=example,dc=com" etime=1 [27/May/2015:17:50:00 -0600] SEARCH REQ conn=2 op=1 msgID=2 base="dc=example,dc=com" scope=wholeSubtree filter="(uid=charlie)" attrs="ALL" [27/May/2015:17:50:00 -0600] SEARCH RES conn=2 op=1 msgID=2 result=0 nentries=0 authzDN="uid=bob,ou=People,dc=example,dc=com" etime=2 [27/May/2015:17:50:00 -0600] UNBIND REQ conn=2 op=2 msgID=3 [27/May/2015:17:50:00 -0600] DISCONNECT conn=2 reason="Client Unbind"If neither of these checks reveal you are using Proxied Authorization and you have not configured a non-root user to use the proxied authorization privilege, you do not need to do anything as you are not vulnerable.
Resolving the vulnerability
This issue can be resolved by upgrading to OpenDJ 2.6.3 or later; you can download this from BackStage.
See Also
N/A
Related Training
N/A
Related Issue Tracker IDs
N/A