Vulnerability in ApacheDS 1.5

Apache Directory Server (ApacheDS) is an LDAP server implemented in Java from the Apache Software Foundation.

The server supports a number of password hash functions including MD5, SHA, SMD5 and SSHA so that the clear text password used for authentication is not stored on the server and an attacker who gains access to the data can not use it for authentication unless he breaks the hash.

Password checks are implemented in the class SimpleAuthenticator that includes the following code:

// Get the stored password, either from cache or from backend
byte[] storedPassword = principal.getUserPassword();

// Short circuit for PLAIN TEXT passwords : we compare the byte array directly
// Are the passwords equal ?
if ( Arrays.equals( credentials, storedPassword ) )
    if ( IS_DEBUG )
        LOG.debug( "{} Authenticated", opContext.getDn() );

    return principal;

The provided credentials are compared to the stored password which can either be a plain password or the hash of a password. This causes ApacheDS to allow users to authenticate either with the password or the corresponding hash. So authentication of a user with the password abc which is stored as the salted SHA1 hash {SSHA}lIifvzM278asTV8NtjfO3EV3z4caaC5uJPouWw== will succeed if either the original password or the hash is provided.

Both calls will succeed equally:

ldapsearch -h localhost -p 10389 -D uid=admin,ou=system -x -w 'abc'
ldapsearch -h localhost -p 10389 -D uid=admin,ou=system -x \
  -w '{SSHA}lIifvzM278asTV8NtjfO3EV3z4caaC5uJPouWw=='

An attacker who gains access to the stored hash will thus be able to successfully authenticate as any user without having to know the password.

It seems all versions of ApacheDS 1.5.x including 1.5.7 are vulnerable. The new 2.0 branch does not seem vulnerable.

I’ve notified the Apache Security Team on 2012-03-12 and informed them on 2012-03-15 that I will publish this blog entry on 2012-03-19 after they remained silent for three days.

Emmanuel L├ęcharny finally replied that he does not consider 1.5.7 stable and that

People using the server *must* use 2.0.0-Mx versions, even if this version is not stabilized yet.

The reason they still link to the vulnerable 1.5.7 version in their “Latest Downloads” section without a word on the security issue is

Pure laziness… Sadly, we are knees deep into coding, and we have neglected the web site and the doco :/

Seems priorities are more on publishing good news.

Update 2012-03-27: Now more than two weeks after the notification they had plenty of time writing emails explaining why this isn’t a problem but apparently no time to remove the link to the vulnerable version from the Latest Downloads section.

2 thoughts on “Vulnerability in ApacheDS 1.5

  1. I’m trying to download the Open Archive Plugin for Open Fire. All of the download links I’ve found lead to 404 errors. Kindly point me to the correct download location.


Leave a Reply

Your email address will not be published. Required fields are marked *