[jira] [Commented] (DERBY-7147) LDAP injection vulnerability in LDAPAuthenticationImpl

Thu, 08 Dec 2022 14:01:07 -0800 


    [ 
https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645003#comment-17645003
 ] 

Richard N. Hillegas commented on DERBY-7147:
--------------------------------------------

I'm done with the work I plan to do on this issue. We could work on a 10.16.2 
release to publish the fix. But producing a release is a considerable amount of 
work. In addition, year end is an awkward time to ask the community to vet a 
new release. Maybe it makes sense to sweep up more fixes first and publish a 
release in the spring.

I don't have a sense of how many Derby installations rely on LDAP.

Without an exploit, it's hard to gauge the severity of this bug. The only 
exploit I can imagine is someone logging onto an LDAP-protected Derby 
installation with a very strange name, which no one would choose for a real 
user. I do not see a privacy or data corruption attack if GRANT/REVOKE 
authorization is turned on. But the fake user would have the ability to create 
databases and tables. That is, resource-exhaustion and denial-of-service 
attacks might be possible.

What are your thoughts?


> LDAP injection vulnerability in LDAPAuthenticationImpl
> ------------------------------------------------------
>
>                 Key: DERBY-7147
>                 URL: https://issues.apache.org/jira/browse/DERBY-7147
>             Project: Derby
>          Issue Type: Bug
>          Components: JDBC
>    Affects Versions: 10.16.1.1
>            Reporter: Richard N. Hillegas
>            Assignee: Richard N. Hillegas
>            Priority: Major
>         Attachments: derby-7147-01-aa-reformatForReadability.diff, 
> derby-7147-02-aa-escapeLDAPsearchFilter.diff, 
> derby-7147-02-ab-escapeLDAPsearchFilter.diff, 
> derby-7147-03-aa-updateLDAPinstructions.diff, 
> derby-7147-03-aa-updateLDAPinstructions.tar, 
> derby-7147-03-ab-updateLDAPinstructions.diff, 
> derby-7147-03-ab-updateLDAPinstructions.tar, 
> derby-7147-04-aa-pointLDAPTestAtInstructions.diff
>
>
> An LDAP injection vulnerability has been identified in 
> LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been 
> provided, but there is a possibility that an intruder could bypass 
> authentication checks in Derby-powered applications which rely on external 
> LDAP servers.
> For more information on LDAP injection, see 
> https://www.synopsys.com/glossary/what-is-ldap-injection.html



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to