[ome-devel] [SECURITY] Release of OMERO 4.3.4
Chris Allan
callan at lifesci.dundee.ac.uk
Tue Jan 24 20:18:33 GMT 2012
Synopsis
========
An LDAP authentication vulnerability has been found in OMERO.server.
Background
==========
When OMERO.server has LDAP authentication enabled and the LDAP server allows
anonymous binds the use of an empty ("") password via the OMERO.server API
permits logging in as any LDAP-based user.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
OMERO.server < 4.3.4
Impact
======
A remote attacker could possibly login to accounts he/she is not permitted
to access via the OMERO.server API. Logins via OMERO.insight or OMERO.web
are not affected.
Workaround
==========
Disable LDAP authentication.
Resolution
==========
All OMERO.server users should upgrade to at least 4.3.4:
* http://www.openmicroscopy.org/site/support/omero4/downloads
Thanks
======
Sebastien Besson [1] for notifying the OME team of this security issue.
[1] http://lists.openmicroscopy.org.uk/pipermail/ome-devel/2012-January/002118.html
More information about the ome-devel
mailing list