Spring-security: SEC-3187: LdapUserDetailsManager password change with LDAP operation (RFC 3062)

Created on 3 Jan 2016  路  16Comments  路  Source: spring-projects/spring-security

Mark Janssen (Migrated from SEC-3187) said:

Currently the LdapUserDetailsManager changePassword method modifies the password attribute directly. It would be better to (optionally) use the LDAP Password Modify Extended Operation as described in RFC 3062. This way, any associated attributes (e.g. Samba NTLM hashed passwords) will also be updated by the LDAP server.

ldap enhancement jira
Source
picture spring-issuemaster
👍2

Most helpful comment

Hi,

Is there any update on this?

picture carlspring on 27 Mar 2018
👍10

All 16 comments

This is a security issue, not just an improvement. By doing a direct modify on the userPassword attribute, the security configuration for userPassword is bypassed.

quanah picture quanah on 31 Oct 2017
👍3

I have noticed some clear password stored in my test LDAP database because of that. Any update on this?

We use a bcrypt module on the Ldap and the BCryptPasswordEncoder hash is not compatible with the bcrypt hash. Only the SSHA password and weak password encryption are available.

It's clearly a security issue.

kopax picture kopax on 31 Oct 2017

Hi,

Is there any update on this?

carlspring picture carlspring on 27 Mar 2018
👍10

+1

fuss86 picture fuss86 on 28 Mar 2018
👍5 👎1

+1

sbespalov picture sbespalov on 31 Mar 2018
👍5 👎1

@monowai,
Why the downvotes?

carlspring picture carlspring on 18 May 2018

+1

jacovt picture jacovt on 16 Jul 2018

This is raised when analyzing code through vulnerability analysis tools like Snyk:

https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-31644

jacovt picture jacovt on 16 Jul 2018
👍6

Yeah, we're getting it in our snyk.io reports as well!

Could we have an update on this, please?

carlspring picture carlspring on 16 Jul 2018
👍4

+1. This needs to be fixed.

acooley picture acooley on 18 Jul 2018
👍6

Are there any updates on this? @tekul, @rwinch, @jgrandja ping?

steve-todorov picture steve-todorov on 24 Jul 2018
👍1

Is there any update on this? It's been around for a while now and it's causing our snyk.io checks to fail, (which is, of course the least of our concerns, given the seriousness of the issue). Could we get some sort of update, please?

carlspring picture carlspring on 3 Oct 2018

Thanks for fixing this @jzheaux ! In which version do you think this will be released and any idea when that will be? :)

carlspring picture carlspring on 15 Oct 2018

@carlspring Looks like I failed to add the milestone earlier.

It's available in 4.2.9, 5.0.9, and 5.1.1, which are in Maven Central now.

jzheaux picture jzheaux on 16 Oct 2018

Is there any plan to get a CVE for this issue?

ddillard picture ddillard on 4 Jan 2019

@ddillard No. This was not a feature that was supported, so users would have been expected to hash it themselves.

rwinch picture rwinch on 8 Jan 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mraible picture mraible  路  3Comments
kazuki43zoo picture kazuki43zoo  路  4Comments
lexburner picture lexburner  路  3Comments
spring-issuemaster picture spring-issuemaster  路  4Comments
joshlong picture joshlong  路  3Comments