Headline

CVE-2020-36658: Add ldapVerify option for SSL cert validation · LemonLDAPNG/Apache-Session-LDAP@490722b

In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.

1 year ago

CVE

Open in Source

#apache #perl #ldap #ssl

@@ -119,22 +119,32 @@ sub ldap { push @servers, $server; }

Compatibility my $caFile = $self->{args}->{ldapCAFile} || $self->{args}->{caFile}; my $caPath = $self->{args}->{ldapCAPath} || $self->{args}->{caPath};

Connect my $ldap = Net::LDAP->new( \@servers, onerror => undef, verify => $self->{args}->{ldapVerify} || "require", ( $caFile ? ( cafile => $caFile ) : () ), ( $caPath ? ( capath => $caPath ) : () ),

( $self->{args}->{ldapPort} ? ( port => $self->{args}->{ldapPort} ) : () ), ) or die( 'Unable to connect to ' . join( ' ', @servers ) ); ) or die( 'Unable to connect to ' . join( ' ', @servers ) . ': ' . $@ );

Start TLS if needed

if ($useTls) { my %h = split( /[&=]/, $tlsParam ); $h{cafile} = $self->{args}->{caFile} if ( $self->{args}->{caFile} ); $h{capath} = $self->{args}->{caPath} if ( $self->{args}->{caPath} ); $h{verify} ||= ( $self->{args}->{ldapVerify} || “require” ); $h{cafile} ||= $caFile if ($caFile); $h{capath} ||= $caPath if ($caPath); my $start_tls = $ldap->start_tls(%h); if ( $start_tls->code ) { $self->logError($start_tls);

Related news

Ubuntu Security Notice USN-6596-1

Ubuntu Security Notice 6596-1 - It was discovered that Apache::Session::LDAP incorrectly handled invalid X.509 certificates. If a user or an automated system were tricked into opening a specially crafted invalid X.509 certificate, a remote attacker could possibly use this issue to perform spoofing and obtain sensitive information.

8 months ago

Packet Storm

Open in Source

#vulnerability #ubuntu #apache #perl #ldap