CVE-2017-14623

Отчет

This issues affects the version of go-ldap/ldap with Red Hat OpenShift Container Platform (OCP) 3.11. However OpenShift explicitly checks for blank passwords in order to prevent anonymous LDAP binds. As the OpenShift 3.11 product packages the vulnerable library, it is affected, but is set to wontfix. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. The 'oc cli' in OCP 3.11 and 4.x also contains the vulnerable go-ldap/ldap library. However, while the oc binary does allow anonymous binds any unauthenticated binds are not possible. Hence the oc cli is marked affected (as it includes the library), but is set to wontfix - this may be addressed in a future release. Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-287: Improper Authentication vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Access to the platform is granted only after successful authentication through multifactor authentication (MFA). Domain accounts are configured to lock out based on predefined access policies, reducing the effectiveness of brute-force attacks on authentication mechanisms. The platform employs IAM roles for identification and authentication within its cloud infrastructure that govern user access to resources and manage provisioning, deployment, and configuration within the platform environment. This reduces the risk of unauthorized access through third-party or external user accounts. Finally, memory protection mechanisms are used to enhance resilience against unauthorized commands or improper authentication.