[ome-devel] [SECURITY] Release of OMERO 4.3.4

Chris Allan callan at lifesci.dundee.ac.uk
Tue Jan 24 20:18:33 GMT 2012


Synopsis
========

An LDAP authentication vulnerability has been found in OMERO.server.

Background
==========

When OMERO.server has LDAP authentication enabled and the LDAP server allows
anonymous binds the use of an empty ("") password via the OMERO.server API
permits logging in as any LDAP-based user.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
OMERO.server < 4.3.4

Impact
======

A remote attacker could possibly login to accounts he/she is not permitted
to access via the OMERO.server API.  Logins via OMERO.insight or OMERO.web
are not affected.

Workaround
==========

Disable LDAP authentication.

Resolution
==========

All OMERO.server users should upgrade to at least 4.3.4:

* http://www.openmicroscopy.org/site/support/omero4/downloads

Thanks
======

Sebastien Besson [1] for notifying the OME team of this security issue.

[1] http://lists.openmicroscopy.org.uk/pipermail/ome-devel/2012-January/002118.html


More information about the ome-devel mailing list