Security issue with JettyCachingLdapLoginModule (workaround)

26 views
Skip to first unread message

Greg Schueler

unread,
Apr 18, 2012, 4:44:47 PM4/18/12
to contr...@googlegroups.com
Hi All,

We recently received a report about a security issue with the "JettyCachingLdapLoginModule" included in Rundeck, described here: http://rundeck.lighthouseapp.com/projects/59277-development/tickets/555-vulnerability-with-ldap-authentication

Rundeck's origin is from Jobcenter/CtlCenter/ControlTier, and this security issue also exists in ControlTier version 3.4 and later.

The upshot is that if you are using the JettyCachingLdapLoginModule included in ControlTier/Rundeck, and have "forceBindingLogin"="true", and have "cacheDurationMillis" > 0, then after a user logs in, subsequent logins for that user do not check the password for the duration of the cache time.

This issue can be averted in two ways:

1. set "forceBindingLogin" to "false" in your jaas-ldap.conf file.  This will mean that LDAP authentication does not "bind" as the user logging in, but as the manager DN instead.  Some LDAP servers are configured such that they won't be able to change this setting.
2. set "cacheDurationMillis" to "0".  This will disable the authorization caching behavior and prevent this issue.

We have released an update for Rundeck to address this issue.

Thanks,

Greg Schueler
Reply all
Reply to author
Forward
0 new messages