Date: Tue, 10 Jul 2018 11:41:08 +0200 From: Emmanuel Lecharny <elecharny@...che.org> To: announce@...che.org, Apache Directory Developers List <dev@...ectory.apache.org>, "users@...ectory.apache.org" <users@...ectory.apache.org>, api@...ectory.apache.org, security@...che.org, oss-security@...ts.openwall.com Cc: wei.deng@...astax.com, mike.adamson@...astax.com, jeremiah.jordan@...astax.com, ben.coverston@...astax.com Subject: [Annoucement] CVE-2018-1337 Plaintext Password Disclosure in Secured Channel CVE-2018-1337: Plaintext Password Disclosure in Secured Channel Severity: Critical Vendor: The Apache Software Foundation Versions Affected: Apache LDAP API 1.0.0 Description: A bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any informations contained in this request (including the credentials when sending a BIND request) Mitigation: Users are urged to use this 1.0.2 version ASAP. There is no impact in their application, the API remains unchanged. The previous version (LDAP API 1.0.1) was a workaround for this problem. History: 2018-05-15 Original advisory Credit: This issue has been reported by Wei Deng (Datastax), the initial workaround was proposed by Mike Adamson (Datastax) and the further investigations/tests/verification were conducted by Wei Deng, Mike Adamson, Jeremiah Kordan (Datastax) and Ben Coverston (Datastax). -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ