SB2021111211 - LDAP injection in Apache Traffic Control

Description

This security bulletin contains information about 1 vulnerability.

1) LDAP injection (CVE-ID: CVE-2021-43350)

CWE-ID: CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to improper input validation when processing usernames in Apache Traffic Control Traffic Ops. A remote non-authenticated attacker can send a specially crafted POST request to the /login endpoint of any API version and inject arbitrary content into LDAP filter. 

Successful exploitation of the vulnerability may allow an attacker to bypass authentication process and gain unauthorized access to the application.

Remediation

Install update from vendor's website.

References

• https://trafficcontrol.apache.org/security/
• http://www.openwall.com/lists/oss-security/2021/11/11/4
• http://www.openwall.com/lists/oss-security/2021/11/11/3