Project

General

Profile

Actions

Bug #9858

closed

CVE-2015-1816 - LDAP server SSL certificate not verified

Added by Marek Hulán over 9 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

When making an SSL connection to an LDAP authentication source in Foreman, the remote server certificate is accepted without any verification against known certificate authorities.

This can allow the LDAP connection between Foreman and the LDAP server to be attacked, and a different LDAP server could be contacted to authenticate users to Foreman.

Expected behaviour is that the certificate authority for the LDAP server should be stored and trusted somewhere, e.g. the system trust store (/etc/pki/tls/certs/ca-bundle.crt, or via update-ca-certificates).

Affects Foreman 1.3.0 or higher - since Puppet was removed as a dependency, the default SSL behaviour went back to no verification.


Files

fix_9858.diff fix_9858.diff 1.25 KB Marek Hulán, 03/23/2015 03:01 AM
fix_9858_monkey.diff fix_9858_monkey.diff 1.18 KB monkey patch for older versions Marek Hulán, 03/23/2015 11:27 AM

Related issues 2 (0 open2 closed)

Related to Foreman - Bug #9885: CVE-2015-1816 - LDAP server SSL certificate not verifiedClosedMarek Hulán03/24/2015Actions
Related to Foreman - Bug #10139: Cannot verify LDAPS SSL certificate on Debian installationResolved04/14/2015Actions
Actions

Also available in: Atom PDF