| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA1 |
| |
| CVE-2016-8750: Apache Karaf's LDAPLoginModule is vulnerable to LDAP |
| injection |
| |
| Severity: Moderate |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: |
| |
| This vulnerability affects all versions of Apache Karaf prior to 4.0.8 |
| |
| Description: |
| |
| Apache Karaf uses the LDAPLoginModule to authenticate users to a directory |
| via LDAP. However, it is not encoding usernames properly and hence is |
| vulnerable to LDAP injection attacks. |
| |
| While it appears that it not possible to exploit this vulnerability to allow |
| an attacker to gain remote access, it allows an attacker to insert special |
| characters into the search query step. Therefore, it can potentially be |
| exploited as part of a Denial Of Service attack. |
| |
| This has been fixed in revision: |
| |
| https://git-wip-us.apache.org/repos/asf?p=karaf.git;h=ac07cb2 |
| |
| Migration: |
| |
| Apache Karaf users should upgrade to 4.0.8 or later as soon as possible. |
| |
| Credit: This issue was reported by Colm O hEigeartaigh of Talend. |
| -----BEGIN PGP SIGNATURE----- |
| Version: GnuPG v1 |
| |
| iQIcBAEBAgAGBQJYkc56AAoJEL/y7kLIKC52660QAKHpTfaclfh8BfxLuDwENynF |
| robX69nTsCrKUL9ryxmkw3dCIGkv/ltJyadUvr3dZpzksUngo95al5E5rG7ZQ9q9 |
| uZsvxpvIIhzLPgpRF6QrkW/LkOYxGTtPm5SWrE0tHkXY7G38BIJQXPITWQymzMST |
| F1HkPJwgfhkjzdgpHL4u6o/RAuOvljiiC0jb/f5SXtZZj4ZRF98+0eZxU4pzr44s |
| 8a0Jtl5HqAoBte1hUNmH4hHqldm61ojNEJiJXdFSlm4zT9Clm6adQ+uwojw27B5K |
| EsFbgmpek7NwYYF1cH8Q+DPGtgmH/sWaPp1DzsjrrCpQXMF/s1mTuJVKxyycsYBV |
| +uV8L1m4zYsmVP5ysmquCmWm/mpACJhe6/ONr4diLVUCvR2kwwyqVw/ArfoLaQw7 |
| 4G48QbcM7c5AK1WjV9C4LsaC0hB8PAWHM54GZRDDvxZ9IVR+vhCIP8UbAi3Ega+n |
| B36pOqPK1sC9ceNt+Xrp4zf9uRzlvu7t22zXQf6HKIu3FxUyGEzUY6w/BAvn2vYL |
| 0VJzgQwZHPj85fiRyjPZZfcp/e2m/hgZDeZcQljTpA434tzP9JMGiJbTwujufK5l |
| UZvDk97FvylyBAl2RD0GdooVQTIcfIW4Mxcj3oFb4l6w0CyTpiy2xXfWkDT3gGE4 |
| v1h47xUxrXuThMfDZ7A7 |
| =V/zt |
| -----END PGP SIGNATURE----- |