SEC-2056: CVE-2012-5055 DaoAuthenticationProvider can reveal which usernames are valid #2280
Labels
in: web
An issue in web modules (web, webmvc)
type: bug
A general bug
type: jira
An issue that was migrated from JIRA
Milestone
Rob Winch (Migrated from SEC-2056) said:
Description:
Spring Security's DaoAuthenticationProvider authenticates users by utilizing the PasswordEncoder interface to compare the submitted password with the actual password. If a user is not found, the comparison is skipped which, depending on the PasswordEncoder implementation, can result in a significant difference in the amount of time required to attempt to authenticate an actual user versus a user that does not exist. This opens up the possibility of a side channel attack that would enable a malicious user to determine if a username is valid.
Example:
The DaoAuthenticationProvider allows setting of the PasswordEncoder for password validation:
The difference between the amount of time it takes to authenticate an existing user and a user that does not exist can reveal if a username is valid or not.
Mitigation:
Applications which use DaoAuthenticationProvider and a PasswordEncoder other than PlainTextEncoder are likely to be vulnerable.
All users may mitigate this issue by upgrading to Spring Security 3.1.3+, 3.0.8+, or 2.0.8+.
Fix:
DaoAuthenticationProvider now performs PasswordEncoder.isPasswordValid when a user is not found.
Credit:
The issue was discovered by Nicholas Goodwin.
The text was updated successfully, but these errors were encountered: