ldap.mechsAllowedToSendCredentials - only SASL?

Bernd ecki at zusammenkunft.net
Wed Oct 21 16:21:09 UTC 2020


Hello,

I am looking at 11.0.9 PSU  (as of Zulu 11.43-sa) about the CVE-2020-14781
 / JDK-8237990 fix and try to understand if my customers might be affected.

jdk.jndi.ldap.mechsAllowedToSendCredentials

It was not obvious to me, how the mechanism restriction works.

According to Oracle and Redhat release notes it only looks at clear /
non-TLS.

- Can you confirm that SASL with wrapping is not considered as encrypted in
this case?

- Can you confirm it only applies to SASL based negotiation? (in my test
SIMPLE with cleartext passwords works just fine)

- Can you confirm it does not apply to "secure" mechanisms like DIGEST-MD5
or different methods like GSSAPI or SIMPLE?

Gruss
Bernd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20201021/203e3d09/attachment.htm>


More information about the security-dev mailing list