Edit Report

Our sensors found this exploit at:

Below is a copy:

CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds

7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

The Apache Software Foundation
Citrix, Inc.

Versions Afffected:
Apache CloudStack 4.3, 4.4

Apache CloudStack may be configured to authenticate LDAP users.
When so configured, it performs a simple LDAP bind with the name
and password provided by a user.  Simple LDAP binds are defined
with three mechanisms (RFC 4513): 1) username and password; 2)
unauthenticated if only a username is specified; and 3) anonymous
if neither username or password is specified.  Currently, Apache
CloudStack does not check if the password was provided which could
allow an attacker to bind as an unauthenticated user.

Users of Apache CloudStack 4.4 and derivatives should update to the
latest version (4.4.2)

An updated release for Apache CloudStack 4.3.2 is in testing. Until
that is released, we recommend following the mitigation below:

By default, many LDAP servers are not configured to allow unauthenticated
binds.  If the LDAP server in use allow this behaviour, a potential
interim solution would be to consider disabling unauthenticated

This issue was identified by the Citrix Security Team.

Copyright ©2023 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.