Skip to main content
Error: missing value for parameter 'doc' (index 0) (click for details)
Callstack:
    at xml.text()
    at (Template:0Template:OutSystems/OSCommunityHeader), /content/body/pre[1], line 49, column 29
    at template()
    at (Template:Custom/Views/Header), /content/body/pre[3], line 7, column 13
    at (Support/Enterprise_Customers/Troubleshooting/2016-07-12_-_Security_Issue_-_LDAP_Authentication_in_Java_accepts_empty_passwords), /content/body/div[4]/div/ul/li[3]
OutSystems

2016-07-12 - Security Issue - LDAP Authentication in Java accepts empty passwords

Executive Summary

OutSystems issued a security update that resolves a vulnerability when using LDAP Authentication with OutSystems Platform running on Java.

The vulnerability causes Service Center and Lifetime to accept empty passwords as valid. If Service Center is configured to authenticate against LDAP using LDAPAuthProvider this allows attackers to authenticate with any user without a password.

OutSystems Applications do not accept empty passwords by default on interactive user logins. You may be at risk if you're using basic authentication in REST web services, or in code where your application doesn't check the size of the password passed to the User_Login action.

The problem happens because of a specificity in LDAP authentication. When using an empty password when authenticating against an LDAP server, there is no error, which the OutSystems Platform was expecting to determine if authentication failed. The fix follows best-practices in LDAP authentication verification and simply does not allow empty passwords to be specified.

How it affects platform stacks

.NET

This does not affect .NET customers.

Java

This affects Java customers up to and including 8.0.1.70, 9.0.1.67, and 9.1.501.0 .

Cloud

Service Center and LifeTime are not affected in the OutSystems Cloud. Customers in the Java stack should check their applications for usage of LDAP Authentication.

Threat level

HIGH. It's possible to authenticate with privileged users (admin) without a password.

Action items for customers

Java customers using LDAPAuthProvider should immediately apply the quick fix below, as the vulnerability allows attackers to authenticate with ANY user in ServiceCenter. Customers who are unsure if they are affected should also apply the fix, as it has no side-effects.

Quick fix

Apply this quick fix to immediately address the vulnerability.

The quick fix is delivered as an extension and is valid for all Maintenance Updates within the supported OutSystems Platform major versions.

To download the quick fix, choose your OutSystems major version from the list below:

To apply the quick fix, follow these steps, in each of your environments:

  1. Publish the extension in Service Center
  2. Republish an "all content" solution

What OutSystems is doing

OutSystems produced the quick fix described above, which you should apply to immediately resolve the vulnerability.

OutSystems will also include this quick fix in the next Maintenance Updates of the OutSystems Platform, scheduled for the following dates:

  • 8.0 - September 16
  • 9.0 - July 29
  • 9.1 - August 12