Page tree
Skip to end of metadata
Go to start of metadata

Date: 17 April 2019

Severity: High (CVSS 8.0)

Affected versions: all AD and LDAP connector versions (indirectly: all midPoint versions)

Fixed in versions: 2.1, 1.6.1

Description

LDAP and Active Directory connectors are not properly checking TLS/SSL certificate validity.

Severity and Impact

This is high-severity issue. The connections are open to man-in-the-middle attack. The severity of this attack may be limited by the fact, that in many midPoint deployments the AD and LDAP connections are established over a trusted networks. However, as midPoint is transferring sensitive information over such connections user are advised to mitigate this issue immediately.

Mitigation

LDAP and LDAP-based Active Directory connectors that are used by in supported midPoint versions were fixed. MidPoint deployments should update the LDAP/AD connector bundle as soon as possible. Recommended connector versions:

MidPoint versionRecommended LDAP/AD connector version
3.9 and later2.1
3.6.x, 3.7.x, 3.8.x1.6.1

As this severity issue, updated connector versions were released immediately.

Discussion and Explanation

Those LDAP-based connectors are using Apache Directory API as a library to access LDAP servers. The default setting of Apache Directory API was to use "no verification" trust manager. Therefore certificate verification was skipped. It is not clear whether this was the original default or whether it was changed during the course of LDAP connector development, therefore we consider all pre-existing LDAP and AD connector versions as vulnerable.

Connector code was updated to use system trust manager as a default choice. New configuration option allowUntrustedSsl was provided for the cases when certification validation needs to be skipped by purpose.

Credit

Variants of this issue were reported by Martin Lizner, who has also contributed the fix for this issue. The report was processed by the means of EU-Free and Open Source Software Auditing (EU-FOSSA2) project.

See Also

  • No labels