[ome-users] [SECURITY] Release of OMERO 4.3.4

Josh Moore josh at glencoesoftware.com
Wed Jan 25 07:45:15 GMT 2012 

On Jan 24, 2012, at 11:14 PM, Leon Kolchinsky wrote:

> Hello Chris,

Morning Leon,

> We're using the old auth. schema:
> omero.security.password_provider=chainedPasswordProvider431
> 
> And I've tested it and couldn't login using empty string ""

Did you try to login via one of the clients or the Python API? If so, this is disabled (client-side) and so won't properly test the issue. If you tried via the Java API, as Sebastien did from Matlab, and it still works, then most likely anonymous binds are not enabled on your LDAP server, and therefore your server is not vulnerable. 

If you'd like to definitely test, place the attached jar (also contains the source file and an ant build script) in your OMERO deployment directory (from where you run bin/omero).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: sec.jar
Type: application/java-archive
Size: 1574 bytes
Desc: not available
URL: <http://lists.openmicroscopy.org.uk/pipermail/ome-users/attachments/20120125/c60597f8/attachment.jar>
-------------- next part --------------


Execute by passing the name of an LDAP user to sec.jar. In 4.3.4, you will see a PermissionDeniedException:

$ java -jar sec.jar --omero.host=localhost --omero.user=jmoore --omero.pass=""
Exception in thread "main" Glacier2.PermissionDeniedException
    reason = "Password check failed for 'jmoore': [id=4453]"
        ...
	at omero.client.createSession(client.java:567)
	at sec.main(sec.java:8)

> Do you know if "chainedPasswordProvider431" is affected by this security vulnerability?

chainedPasswordProvider431 (along with all previous versions of the LdapPasswordProvider) suffer this vulnerability. chainedPasswordProvider431 in 4.3.4 has also been fixed; the only difference is that there is extra logging in the non-431 version:

  2012-01-24 19:51:29,542 WARN  [  ome.security.auth.LdapPasswordProvider] (l.Server-9) Empty password for user: jmoore

which will be missing from your log.

> Cheers,
> Leon Kolchinsky

Best wishes,
~Josh

> On Wed, Jan 25, 2012 at 07:18, Chris Allan <callan at lifesci.dundee.ac.uk>wrote:
> 
>> Synopsis
>> ========
>> 
>> An LDAP authentication vulnerability has been found in OMERO.server.
>> 
>> Background
>> ==========
>> 
>> When OMERO.server has LDAP authentication enabled and the LDAP server
>> allows
>> anonymous binds the use of an empty ("") password via the OMERO.server API
>> permits logging in as any LDAP-based user.
>> 
>> Affected packages
>> =================
>> 
>> -------------------------------------------------------------------
>> Package / Vulnerable / Unaffected
>> -------------------------------------------------------------------
>> OMERO.server < 4.3.4
>> 
>> Impact
>> ======
>> 
>> A remote attacker could possibly login to accounts he/she is not permitted
>> to access via the OMERO.server API.  Logins via OMERO.insight or OMERO.web
>> are not affected.
>> 
>> Workaround
>> ==========
>> 
>> Disable LDAP authentication.
>> 
>> Resolution
>> ==========
>> 
>> All OMERO.server users should upgrade to at least 4.3.4:
>> 
>> * http://www.openmicroscopy.org/site/support/omero4/downloads
>> 
>> Thanks
>> ======
>> 
>> Sebastien Besson [1] for notifying the OME team of this security issue.
>> 
>> [1]
>> http://lists.openmicroscopy.org.uk/pipermail/ome-devel/2012-January/002118.html

More information about the ome-users mailing list