Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1093 CVE-2014-3503: Insecure Random implementations used to generate passwords in Apache Syncope 8 July 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Syncope Publisher: The Apache Software Foundation Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-3503 Original Bulletin: http://syncope.apache.org/security.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-3503: Insecure Random implementations used to generate passwords in Apache Syncope Severity: Major Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Apache Syncope 1.1.x prior to 1.1.8 'Ad libitum'. The 1.0.x releases are not affected. Description: A password is generated for a user in Apache Syncope under certain circumstances, when no existing password is found. However, the password generation code is relying on insecure Random implementations, which means that an attacker could attempt to guess a generated password. This has been fixed in revision: http://svn.apache.org/viewvc?view=revision&revision=1596537 Migration: Syncope 1.0.x users are not affected by this issue. Syncope 1.1.x users should upgrade to 1.1.8 'Ad libitum' as soon as possible. References: http://syncope.apache.org/security.html - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJTunsUAAoJEGe/gLEK1TmDj4AH/05J9ZOB/gyem18F9MTcG+PB tuX7EGemHCU+fyKeTetyGdhzZzdNquMA3mR4UXOEKH1Fok4LvkBWF+BoKMSY8DgY vtWcZUfdJFeUd1XpdUrW0D/GEbbIdmijkbVoAZ3703RMpRiDBiVBkaBr/tjC6tuf WUoBueRmNTkInBQhabaNYXvC0vyPA5ARhu1CprJ5QpA3aFoIEaVdlJTd+Mg58vJS tlwoyGIUEUY/pusBKaZDkTVAJhrOS9b5atjlqCPlT3kGUbQOYgRPPTihX+0CMIY2 JE4yUXR8Kx6tvgebtft2IoUp6oZdR+XqHnEe3Tv1UnSRmlHj6o+tTCBDMmm1YOY= =o17e - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU7s0ThLndAQH1ShLAQL0txAAvHMHliLMBGOqnh7waFuJF03tZ2f7AuUW +oR4BdSnxCb20x0imU1i7xhnUvN7wW6PGVdmkwd5ckU1oEzbQtGZ6DZN7Rjvd3n3 bVpfrJFmMQBD9kxiHYIy1LOpB3F7PtTPwpfriO1CYHADspoY8SOLgk8rTCszR/js QaqhWE8nDk5kn4zf85UmcgGujQJFDpVd7w0VvLi4CA5OSQxeq8mSL4kxPHAG9/qC gjyE5byO3zm7irjFYvzY+896SUEfaePiWVixILckwXF8IvzN+sxqfH4ipLLR2Of8 sWWCRzfcIJ1oO19D3ZYiECwlWh6ynAvir4AWEfa44dvpigCwc1An83ZM1GtpHbpL +i19zEj3IA4hgnXq4Gwqm/iA9f9AqRWSfL9xUhlDLo3eqiOLjqgAU1X/+OJTO5T0 R2LCh9ZFYwbvz1MvIIOs/0zPtY3Mheqv68nS17SgETxNG89iMg4NpG9u9aYyEYeM 1qXMxVguNdxzrz2eTYgTW3WSSxeiCPC2NyU27jBjAkTgxjeQlTfqZaS8fRP9vdDM Mf5+pkfmaFOVjEZj7W5LPqZm1+tdmU0KlKafjfmZqieN/4KR82BTFZNZmayhXasW HXwk+v91vbgoggwXfyekw96dcYW9sRlsWBq8TvqMATX7KeuXQ+OFm3mQtyGirbZl 24HuSg3Jr8E= =H4Cd -----END PGP SIGNATURE-----