CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds


7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P


The Apache Software Foundation

Citrix, Inc.

Versions Afffected:

Apache CloudStack 4.3, 4.4


Apache CloudStack may be configured to authenticate LDAP users.
When so configured, it performs a simple LDAP bind with the name
and password provided by a user. Simple LDAP binds are defined
with three mechanisms (RFC 4513): 1) username and password; 2)
unauthenticated if only a username is specified; and 3) anonymous
if neither username or password is specified. Currently, Apache
CloudStack does not check if the password was provided which could
allow an attacker to bind as an unauthenticated user.


Users of Apache CloudStack 4.4 and derivatives should update to the
latest version (4.4.2)

An updated release for Apache CloudStack 4.3.2 is in testing. Until
that is released, we recommend following the mitigation below:

By default, many LDAP servers are not configured to allow unauthenticated
binds. If the LDAP server in use allow this behaviour, a potential
interim solution would be to consider disabling unauthenticated


This issue was identified by the Citrix Security Team.