A security vulnerability has been discovered in OpenDJ. This issue is present in all versions of OpenDJ including 2.6.x, 2.5.0-Xpress1, 2.4.x, and possibly previous versions.
A security advisory has been issued to provide guidance on how to ensure your deployments can be secured. Workarounds or patches are available for the issue, with fixes included in OpenDJ 2.6.3.
The severity of the issue in the advisory is High. Deployers should take immediate steps as outlined in the advisory and apply the relevant update at the earliest opportunity.
The recommendation is to deploy the relevant patch or to upgrade to OpenDJ 2.6.3.
Customers without existing patches can obtain the relevant patch from BackStage. Customers with deployed patches should contact the support organization to obtain a combo patch. The fix is also present in the community "trunk" nightly builds.
The following security fix has been included in this release:
-
Issue #201504-01: Proxied Authorization may allow unexpected escalation of privileges and access. When someone has been granted the privileges to Proxy requests and use the Proxied Authorization control, it is not possible to control who that user can impersonate. It is thus possible to impersonate "cn=Directory Manager" and bypass all access controls.
Severity: High
For more information, see OpenDJ Security Advisory #201504.
