[ome-users] [SECURITY] Release of OMERO 4.3.4

[Leon Kolchinsky]

Hello Chris,

We're using the old auth. schema:
omero.security.password_provider=chainedPasswordProvider431

And I've tested it and couldn't login using empty string ""

Do you know if "chainedPasswordProvider431" affected by this
security vulnerability?

Cheers,
Leon Kolchinsky



On Wed, Jan 25, 2012 at 07:18, Chris Allan <callan at lifesci.dundee.ac.uk>wrote:

> Synopsis
> ========
>
> An LDAP authentication vulnerability has been found in OMERO.server.
>
> Background
> ==========
>
> When OMERO.server has LDAP authentication enabled and the LDAP server
> allows
> anonymous binds the use of an empty ("") password via the OMERO.server API
> permits logging in as any LDAP-based user.
>
> Affected packages
> =================
>
> -------------------------------------------------------------------
> Package / Vulnerable / Unaffected
> -------------------------------------------------------------------
> OMERO.server < 4.3.4
>
> Impact
> ======
>
> A remote attacker could possibly login to accounts he/she is not permitted
> to access via the OMERO.server API.  Logins via OMERO.insight or OMERO.web
> are not affected.
>
> Workaround
> ==========
>
> Disable LDAP authentication.
>
> Resolution
> ==========
>
> All OMERO.server users should upgrade to at least 4.3.4:
>
>  * http://www.openmicroscopy.org/site/support/omero4/downloads
>
> Thanks
> ======
>
> Sebastien Besson [1] for notifying the OME team of this security issue.
>
>  [1]
> http://lists.openmicroscopy.org.uk/pipermail/ome-devel/2012-January/002118.html
> _______________________________________________
> ome-users mailing list
> ome-users at lists.openmicroscopy.org.uk
> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openmicroscopy.org.uk/pipermail/ome-users/attachments/20120125/c710ef54/attachment.html>