Insecure LDAP authentication¶
ID: java/insecure-ldap-authKind: path-problemSecurity severity: 8.8Severity: errorPrecision: highTags: - security - external/cwe/cwe-522 - external/cwe/cwe-319Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls
Click to see the query in the CodeQL repository
When using the Java LDAP API to perform LDAPv3-style extended operations and controls, a context with connection properties including user credentials is started. Transmission of LDAP credentials in cleartext allows remote attackers to obtain sensitive information by sniffing the network.
Recommendation¶
Use theldaps:// protocol to send credentials through SSL or use SASL authentication.
Example¶
In the following (bad) example, aldap:// URL is used and credentials will be sent in plaintext.
// BAD: LDAP authentication is usedStringldapUrl="ldap://ad.your-server.com:389";Hashtable<String,String>environment=newHashtable<String,String>();environment.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");environment.put(Context.PROVIDER_URL,ldapUrl);environment.put(Context.REFERRAL,"follow");environment.put(Context.SECURITY_AUTHENTICATION,"simple");environment.put(Context.SECURITY_PRINCIPAL,ldapUserName);environment.put(Context.SECURITY_CREDENTIALS,password);DirContextdirContext=newInitialDirContext(environment);
In the following (good) example, aldaps:// URL is used so credentials will be encrypted with SSL.
// GOOD: LDAP connection using LDAPSStringldapUrl="ldaps://ad.your-server.com:636";Hashtable<String,String>environment=newHashtable<String,String>();environment.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");environment.put(Context.PROVIDER_URL,ldapUrl);environment.put(Context.REFERRAL,"follow");environment.put(Context.SECURITY_AUTHENTICATION,"simple");environment.put(Context.SECURITY_PRINCIPAL,ldapUserName);environment.put(Context.SECURITY_CREDENTIALS,password);DirContextdirContext=newInitialDirContext(environment);
In the following (good) example, aldap:// URL is used, but SASL authentication is enabled so that the credentials will be encrypted.
// GOOD: LDAP is used but SASL authentication is enabledStringldapUrl="ldap://ad.your-server.com:389";Hashtable<String,String>environment=newHashtable<String,String>();environment.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");environment.put(Context.PROVIDER_URL,ldapUrl);environment.put(Context.REFERRAL,"follow");environment.put(Context.SECURITY_AUTHENTICATION,"DIGEST-MD5 GSSAPI");environment.put(Context.SECURITY_PRINCIPAL,ldapUserName);environment.put(Context.SECURITY_CREDENTIALS,password);DirContextdirContext=newInitialDirContext(environment);
References¶
Oracle:LDAP and LDAPS URLs
Oracle:Simple authentication
Common Weakness Enumeration:CWE-522.
Common Weakness Enumeration:CWE-319.