ldap.mechsAllowedToSendCredentials - only SASL?

Bernd ecki at zusammenkunft.net
Wed Oct 21 17:26:36 UTC 2020


BTW: the security patch looks like "simple" is supposed to be rejected when
a principal is set, however this is not the case in my tests. Maybe the
method is not called correctly in this case?

 if ("simple".equalsIgnoreCase(authMechanism) &&
!envprops.containsKey(SECURITY_PRINCIPAL)) {

Gruss
Bernd

Am Mi., 21. Okt. 2020 um 18:21 Uhr schrieb Bernd <ecki at zusammenkunft.net>:

> Hello,
>
> I am looking at 11.0.9 PSU  (as of Zulu 11.43-sa) about the CVE-2020-14781
>  / JDK-8237990 fix and try to understand if my customers might be
> affected.
>
> jdk.jndi.ldap.mechsAllowedToSendCredentials
>
> It was not obvious to me, how the mechanism restriction works.
>
> According to Oracle and Redhat release notes it only looks at clear /
> non-TLS.
>
> - Can you confirm that SASL with wrapping is not considered as encrypted
> in this case?
>
> - Can you confirm it only applies to SASL based negotiation? (in my test
> SIMPLE with cleartext passwords works just fine)
>
> - Can you confirm it does not apply to "secure" mechanisms like DIGEST-MD5
> or different methods like GSSAPI or SIMPLE?
>
> Gruss
> Bernd
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20201021/2f226d08/attachment.htm>


More information about the security-dev mailing list