OpenDJ Security Advisory #201508

Two security vulnerabilities have been discovered in all released versions of OpenDJ.

This advisory provides guidance on how to ensure your deployments can be secured.  Workarounds or patches are available for the issues, which will also be included in the forthcoming OpenDJ 2.6.4 maintenance release.

The severity of the issues in this advisory is Medium. Deployers should take steps as outlined in this advisory and apply the relevant update at the earliest opportunity.

The recommendation is to deploy the relevant patch or to upgrade to OpenDJ 2.6.4 when it becomes available.

Combined patches fixing all OpenDJ security advisories are available to customers for OpenDJ 2.6.0 – 2.6.3 from BackStage. Customers with other deployed patches should contact the support organization to obtain an updated patch. Customers running earlier releases need to upgrade. The fixes are also present in the community “trunk” nightly builds.

Issue #201508-01: LDAP read entry controls reveal protected attributes.
Product: OpenDJ
Affected versions: 2.4.0 – 2.4.6, 2.5.0-Xpress1, 2.6.0 – 2.6.3
Fixed versions: 3.0.0
Component: Core Server
Severity: Medium
JIRA ID: OPENDJ-2312

OpenDJ supports controls allowing an LDAP user to read and return the target entry of an update operation as part of the update operation itself. If the update operation succeeds, the target entry attributes should be returned subject to access control checks. These access control checks were not performed by OpenDJ, and the server would incorrectly return any attribute from the target entry.

The vulnerability can be exploited if the LDAP user performing the update has all of the following:

  • allowed access to use either the 1.3.6.1.1.13.1 or 1.3.6.1.1.13.2 controls;
  • allowed access to update (add/modify/delete/rename) an entry;
  • denied access to reading certain attributes on the entry being updated.

By default the impact is low because in OpenDJ anonymous users may not use these controls. By default authenticated users may only update their own entries, and anonymous users are read-only. By default users are prevented from reading only a few operational attributes from their own entry.

Customers with customized access control policies may wish to review them with ForgeRock support.

Workaround:

To prevent the vulnerability from being exploited, a simple solution is to temporarily restrict permission to use the two controls to trusted users until the patch is deployed. Ideally this would be done using the dsconfig command to identify the global ACI that allows the use of the two controls, and to then remove those two controls from that ACI’s targetcontrol list. Instructions for using dsconfig are in the OpenDJ Administration Guide.

A simple alternative would be to temporarily restrict the use of controls to RootDN users using the following ldapmodify command. Replace the parameters in italics:

ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -j passwd.txt
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetcontrol="1.3.6.1.1.13.1 || 1.3.6.1.1.13.2")
 (version 3.0; acl "ForgeRock Security advisory 201508";
 deny(read) userdn="ldap:///anyone";)
-

Note: These controls are rarely used but you must test your applications to make sure they will not be affected. OpenAM does not use these controls and will not be affected. OpenDJ’s REST interfaces use these controls if the “readOnUpdatePolicy” configuration for an endpoint is set to “controls”.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch.

Issue #201508-02: OpenDJ Administration Connector doesn’t reject anonymous operations.
Product: OpenDJ
Affected versions: 2.4.0 – 2.4.6, 2.5.0-Xpress1, 2.6.0 – 2.6.3
Fixed versions: 3.0.0
Component: Core Server
Severity: Medium
JIRA ID: OPENDJ-2378

OpenDJ has a global configuration parameter called “reject-unauthenticated-requests” that can be set to disallow any non-authenticated request. This provides an additional layer of protection in the server in addition to the normal access control protection. This parameter is used on any LDAP and LDAPS connection handlers (e.g. on port 389 and 636) however it was not used on the administration connector interface, which is typically on port 4444.

The parameter is set to “false” by default.

The bug’s impact is low, as access controls should always be used to enforce basic security and restrict the ability of non-authenticated connections to read or modify data.

Workaround:

Access controls should always be used to limit the data that non-authenticated connections can access. System-level firewall rules could be used to restrict access to the administration connector from only selected systems.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch.

©2018 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?