security/cve-2016-8750.txt - karaf-site - Git at Google

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1

 CVE-2016-8750: Apache Karaf's LDAPLoginModule is vulnerable to LDAP
 injection

 Severity: Moderate

 Vendor: The Apache Software Foundation

 Versions Affected:

 This vulnerability affects all versions of Apache Karaf prior to 4.0.8

 Description:

 Apache Karaf uses the LDAPLoginModule to authenticate users to a directory
 via LDAP. However, it is not encoding usernames properly and hence is
 vulnerable to LDAP injection attacks.

 While it appears that it not possible to exploit this vulnerability to allow
 an attacker to gain remote access, it allows an attacker to insert special
 characters into the search query step. Therefore, it can potentially be
 exploited as part of a Denial Of Service attack.

 This has been fixed in revision:

 https://git-wip-us.apache.org/repos/asf?p=karaf.git;h=ac07cb2

 Migration:

 Apache Karaf users should upgrade to 4.0.8 or later as soon as possible.

 Credit: This issue was reported by Colm O hEigeartaigh of Talend.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1

 iQIcBAEBAgAGBQJYkc56AAoJEL/y7kLIKC52660QAKHpTfaclfh8BfxLuDwENynF
 robX69nTsCrKUL9ryxmkw3dCIGkv/ltJyadUvr3dZpzksUngo95al5E5rG7ZQ9q9
 uZsvxpvIIhzLPgpRF6QrkW/LkOYxGTtPm5SWrE0tHkXY7G38BIJQXPITWQymzMST
 F1HkPJwgfhkjzdgpHL4u6o/RAuOvljiiC0jb/f5SXtZZj4ZRF98+0eZxU4pzr44s
 8a0Jtl5HqAoBte1hUNmH4hHqldm61ojNEJiJXdFSlm4zT9Clm6adQ+uwojw27B5K
 EsFbgmpek7NwYYF1cH8Q+DPGtgmH/sWaPp1DzsjrrCpQXMF/s1mTuJVKxyycsYBV
 +uV8L1m4zYsmVP5ysmquCmWm/mpACJhe6/ONr4diLVUCvR2kwwyqVw/ArfoLaQw7
 4G48QbcM7c5AK1WjV9C4LsaC0hB8PAWHM54GZRDDvxZ9IVR+vhCIP8UbAi3Ega+n
 B36pOqPK1sC9ceNt+Xrp4zf9uRzlvu7t22zXQf6HKIu3FxUyGEzUY6w/BAvn2vYL
 0VJzgQwZHPj85fiRyjPZZfcp/e2m/hgZDeZcQljTpA434tzP9JMGiJbTwujufK5l
 UZvDk97FvylyBAl2RD0GdooVQTIcfIW4Mxcj3oFb4l6w0CyTpiy2xXfWkDT3gGE4
 v1h47xUxrXuThMfDZ7A7
 =V/zt
 -----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA1

	CVE-2016-8750: Apache Karaf's LDAPLoginModule is vulnerable to LDAP
	injection

	Severity: Moderate

	Vendor: The Apache Software Foundation

	Versions Affected:

	This vulnerability affects all versions of Apache Karaf prior to 4.0.8

	Description:

	Apache Karaf uses the LDAPLoginModule to authenticate users to a directory
	via LDAP. However, it is not encoding usernames properly and hence is
	vulnerable to LDAP injection attacks.

	While it appears that it not possible to exploit this vulnerability to allow
	an attacker to gain remote access, it allows an attacker to insert special
	characters into the search query step. Therefore, it can potentially be
	exploited as part of a Denial Of Service attack.

	This has been fixed in revision:

	https://git-wip-us.apache.org/repos/asf?p=karaf.git;h=ac07cb2

	Migration:

	Apache Karaf users should upgrade to 4.0.8 or later as soon as possible.

	Credit: This issue was reported by Colm O hEigeartaigh of Talend.
	-----BEGIN PGP SIGNATURE-----
	Version: GnuPG v1

	iQIcBAEBAgAGBQJYkc56AAoJEL/y7kLIKC52660QAKHpTfaclfh8BfxLuDwENynF
	robX69nTsCrKUL9ryxmkw3dCIGkv/ltJyadUvr3dZpzksUngo95al5E5rG7ZQ9q9
	uZsvxpvIIhzLPgpRF6QrkW/LkOYxGTtPm5SWrE0tHkXY7G38BIJQXPITWQymzMST
	F1HkPJwgfhkjzdgpHL4u6o/RAuOvljiiC0jb/f5SXtZZj4ZRF98+0eZxU4pzr44s
	8a0Jtl5HqAoBte1hUNmH4hHqldm61ojNEJiJXdFSlm4zT9Clm6adQ+uwojw27B5K
	EsFbgmpek7NwYYF1cH8Q+DPGtgmH/sWaPp1DzsjrrCpQXMF/s1mTuJVKxyycsYBV
	+uV8L1m4zYsmVP5ysmquCmWm/mpACJhe6/ONr4diLVUCvR2kwwyqVw/ArfoLaQw7
	4G48QbcM7c5AK1WjV9C4LsaC0hB8PAWHM54GZRDDvxZ9IVR+vhCIP8UbAi3Ega+n
	B36pOqPK1sC9ceNt+Xrp4zf9uRzlvu7t22zXQf6HKIu3FxUyGEzUY6w/BAvn2vYL
	0VJzgQwZHPj85fiRyjPZZfcp/e2m/hgZDeZcQljTpA434tzP9JMGiJbTwujufK5l
	UZvDk97FvylyBAl2RD0GdooVQTIcfIW4Mxcj3oFb4l6w0CyTpiy2xXfWkDT3gGE4
	v1h47xUxrXuThMfDZ7A7
	=V/zt
	-----END PGP SIGNATURE-----