LDAP Authentication in Java stack may allow authentication with empty password

LDAP Authentication in Java stack may allow authentication with empty password

  

We have identified a critical security vulnerability which affects authentication using an LDAP server in the Java stack. 

If you’re using LDAP authentication in Service Center, the vulnerability allows users to login into Service Center and LifeTime without supplying any password. The vulnerability may apply to  end-user applications, depending on their use of the OutSystems Platform authentication services.

Additional details can be found in this Knowledge Base Article.


Affected stacks and versions

.NET: this stack is not affected by this problem

Java: this stack is affected by this problem.

Cloud: Service Center and LifeTime is not affected by this problem in the Cloud.

Versions:

8.0 all versions

9.0 all version

9.1 all versions



What should I do

The Knowledge Base article mentioned above contains a quick-fix for this problem. We recommend all Java customers that are using LDAP to authenticate their users to apply the fix as soon as possible.


If you have further questions regarding this problem, feel free to contact OutSystems Support using the usual means.