Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 733114 (CVE-2020-15813) - <app-admin/graylog-3.3.3: LDAP Authentication Bypass (CVE-2020-15813)
Summary: <app-admin/graylog-3.3.3: LDAP Authentication Bypass (CVE-2020-15813)
Status: RESOLVED FIXED
Alias: CVE-2020-15813
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/Graylog2/graylog2-...
Whiteboard: ~4 [noglsa cve]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-07-18 03:35 UTC by John Helmert III (ajak)
Modified: 2020-08-06 17:03 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) 2020-07-18 03:35:17 UTC
CVE-2020-15813:

Graylog before 3.3.3 lacks SSL Certificate Validation for LDAP servers. It allows use of an external user/group database stored in LDAP. The connection configuration allows the usage of unencrypted, SSL- or TLS-secured connections. Unfortunately, the Graylog client code (in all versions that support LDAP) does not implement proper certificate validation (regardless of whether the "Allow self-signed certificates" option is used). Therefore, any attacker with the ability to intercept network traffic between a Graylog server and an LDAP server is able to redirect traffic to a different LDAP server (unnoticed by the Graylog server due to the lack of certificate validation), effectively bypassing Graylog's authentication mechanism.



Upstream issue has a fix in the 3.3.3 milestone (URL). PR (appears potentially unfinished): https://github.com/Graylog2/graylog2-server/pull/8569
Comment 1 Larry the Git Cow gentoo-dev 2020-08-06 16:09:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f22752d5c89481ddb1eda81cef7632ab4bcb217d

commit f22752d5c89481ddb1eda81cef7632ab4bcb217d
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2020-08-05 09:02:55 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-08-06 16:09:13 +0000

    app-admin/graylog: drop vulnerable
    
    Bug: https://bugs.gentoo.org/733114
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/17010
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-admin/graylog/Manifest             |  2 -
 app-admin/graylog/graylog-3.3.1.ebuild | 83 ----------------------------------
 app-admin/graylog/graylog-3.3.2.ebuild | 83 ----------------------------------
 3 files changed, 168 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ba778ceecf5cd87d8f90c931e891cdff644564a

commit 6ba778ceecf5cd87d8f90c931e891cdff644564a
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2020-08-05 09:02:12 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-08-06 16:09:12 +0000

    app-admin/graylog: bump to 3.3.3
    
    Bug: https://bugs.gentoo.org/733114
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-admin/graylog/Manifest             |  1 +
 app-admin/graylog/graylog-3.3.3.ebuild | 83 ++++++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+)
Comment 2 Sam James archtester gentoo-dev Security 2020-08-06 17:03:48 UTC
Thanks!