[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY] CVE-2014-3503 Apache Syncope
- To: user@xxxxxxxxxxxxxxxxxx, dev@xxxxxxxxxxxxxxxxxx, announce@xxxxxxxxxx, "security@xxxxxxxxxx" <security@xxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx
- Subject: [SECURITY] CVE-2014-3503 Apache Syncope
- From: Francesco Chicchiriccò <ilgrosso@xxxxxxxxxx>
- Date: Mon, 07 Jul 2014 12:56:47 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2014-3503: Insecure Random implementations used to generate passwords in
Apache Syncope
Severity: Major
Vendor: The Apache Software Foundation
Versions Affected:
This vulnerability affects all versions of Apache Syncope 1.1.x prior to
1.1.8 'Ad libitum'. The 1.0.x releases are not affected.
Description:
A password is generated for a user in Apache Syncope under certain
circumstances, when no existing password is found. However, the password
generation code is relying on insecure Random implementations, which means that
an attacker could attempt to guess a generated password.
This has been fixed in revision:
http://svn.apache.org/viewvc?view=revision&revision=1596537
Migration:
Syncope 1.0.x users are not affected by this issue.
Syncope 1.1.x users should upgrade to 1.1.8 'Ad libitum' as soon as possible.
References: http://syncope.apache.org/security.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJTunsUAAoJEGe/gLEK1TmDj4AH/05J9ZOB/gyem18F9MTcG+PB
tuX7EGemHCU+fyKeTetyGdhzZzdNquMA3mR4UXOEKH1Fok4LvkBWF+BoKMSY8DgY
vtWcZUfdJFeUd1XpdUrW0D/GEbbIdmijkbVoAZ3703RMpRiDBiVBkaBr/tjC6tuf
WUoBueRmNTkInBQhabaNYXvC0vyPA5ARhu1CprJ5QpA3aFoIEaVdlJTd+Mg58vJS
tlwoyGIUEUY/pusBKaZDkTVAJhrOS9b5atjlqCPlT3kGUbQOYgRPPTihX+0CMIY2
JE4yUXR8Kx6tvgebtft2IoUp6oZdR+XqHnEe3Tv1UnSRmlHj6o+tTCBDMmm1YOY=
=o17e
-----END PGP SIGNATURE-----