Skip to content

SEC-3187: LdapUserDetailsManager password change with LDAP operation (RFC 3062) #3392

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
spring-projects-issues opened this issue Jan 3, 2016 · 16 comments
Closed

SEC-3187: LdapUserDetailsManager password change with LDAP operation (RFC 3062) #3392

spring-projects-issues opened this issue Jan 3, 2016 · 16 comments
Assignees
@jzheaux
Labels
in: ldap An issue in spring-security-ldap type: enhancement A general enhancement type: jira An issue that was migrated from JIRA
Milestone
5.1.1

Comments

@spring-projects-issues
Copy link

Mark Janssen (Migrated from SEC-3187) said:

Currently the LdapUserDetailsManager changePassword method modifies the password attribute directly. It would be better to (optionally) use the LDAP Password Modify Extended Operation as described in RFC 3062. This way, any associated attributes (e.g. Samba NTLM hashed passwords) will also be updated by the LDAP server.
@spring-projects-issues spring-projects-issues added in: ldap An issue in spring-security-ldap Open type: enhancement A general enhancement type: jira An issue that was migrated from JIRA labels Feb 5, 2016
@quanah
Copy link

quanah commented Oct 31, 2017

This is a security issue, not just an improvement. By doing a direct modify on the userPassword attribute, the security configuration for userPassword is bypassed.

@kopax
Copy link

kopax commented Oct 31, 2017
edited
Loading

I have noticed some clear password stored in my test LDAP database because of that. Any update on this?

We use a bcrypt module on the Ldap and the BCryptPasswordEncoder hash is not compatible with the bcrypt hash. Only the SSHA password and weak password encryption are available.

It's clearly a security issue.

@carlspring
Copy link

Hi,

Is there any update on this?

@fuss86
Copy link

fuss86 commented Mar 27, 2018

+1

1 similar comment
@sbespalov
Copy link
Contributor

+1

@carlspring
Copy link

@monowai,
Why the downvotes?

@jacovt
Copy link

jacovt commented Jul 16, 2018

+1

@jacovt
Copy link

jacovt commented Jul 16, 2018
edited
Loading

This is raised when analyzing code through vulnerability analysis tools like Snyk:

https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-31644

@carlspring
Copy link

Yeah, we're getting it in our snyk.io reports as well!

Could we have an update on this, please?

@acooley
Copy link

acooley commented Jul 18, 2018

+1. This needs to be fixed.

@steve-todorov
Copy link

Are there any updates on this? @tekul, @rwinch, @jgrandja ping?

@NehaBroad NehaBroad mentioned this issue Jul 25, 2018
Closed
@carlspring
Copy link

Is there any update on this? It's been around for a while now and it's causing our snyk.io checks to fail, (which is, of course the least of our concerns, given the seriousness of the issue). Could we get some sort of update, please?

@jzheaux jzheaux self-assigned this Oct 4, 2018
@jzheaux jzheaux mentioned this issue Oct 4, 2018
Merged
This was referenced Oct 15, 2018
Closed
Closed
jzheaux added a commit to jzheaux/spring-security that referenced this issue Oct 15, 2018
@jzheaux
Password Modify Extended Operation Support
7dedc0d 
LdapUserDetailsManager can be configured to either use direct
attribute modification or the LDAP Password Modify Extended Operation
to change a user's password.

Fixes: spring-projectsgh-3392
jzheaux added a commit that referenced this issue Oct 15, 2018
@jzheaux
Password Modify Extended Operation Support
800157f 
LdapUserDetailsManager can be configured to either use direct
attribute modification or the LDAP Password Modify Extended Operation
to change a user's password.

Fixes: gh-3392
jzheaux added a commit that referenced this issue Oct 15, 2018
@jzheaux
Password Modify Extended Operation Support
eed8538 
LdapUserDetailsManager can be configured to either use direct
attribute modification or the LDAP Password Modify Extended Operation
to change a user's password.

Fixes: gh-3392
@carlspring
Copy link

Thanks for fixing this @jzheaux ! In which version do you think this will be released and any idea when that will be? :)

@jzheaux jzheaux added this to the 5.1.1 milestone Oct 16, 2018
@jzheaux
Copy link
Contributor

jzheaux commented Oct 16, 2018
edited
Loading

@carlspring Looks like I failed to add the milestone earlier.

It's available in 4.2.9, 5.0.9, and 5.1.1, which are in Maven Central now.

@carlspring carlspring mentioned this issue Nov 7, 2018
Closed
@ddillard
Copy link

ddillard commented Jan 4, 2019

Is there any plan to get a CVE for this issue?

@rwinch
Copy link
Member

rwinch commented Jan 8, 2019

@ddillard No. This was not a feature that was supported, so users would have been expected to hash it themselves.

jzheaux added a commit that referenced this issue Aug 7, 2019
@jzheaux
Polish LdapUserDetailsManagerModifyPasswordTests
3a83182 
Issue gh-3392
kostya05983 pushed a commit to kostya05983/spring-security that referenced this issue Aug 26, 2019
@jzheaux @kostya05983
Polish LdapUserDetailsManagerModifyPasswordTests
7874c37 
Issue spring-projectsgh-3392
@RedDragonet RedDragonet mentioned this issue Jul 23, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: ldap An issue in spring-security-ldap type: enhancement A general enhancement type: jira An issue that was migrated from JIRA
Projects
None yet
Milestone
5.1.1
Development

No branches or pull requests