Security Update to disable keytab in JAAS login configuration for Basic authentication (MINDBREEZE29751)

ID: MINDBREEZE29751
Affected Components: Mindbreeze InSpire G7 with active Kerberos client authentication
Severity: Critical
Status: Final
First published: December 18, 2023
CVEs: MINDBREEZE29751

Summary

A configuration issue in the default JAAS login configuration uses the Client Service keytab in the Basic authentication fallback LoginContext. The keytab is configured per Client Service in the Mindbreeze configuration, and shall be a unprivileged service account to validate the integrated authentication via a service principal name of the form "HTTP/<FQHN>". The effect is that the password validation for this particular service user is disabled, if the keytab in addition to the service principal name SPN (HTTP/<FQHN>) also contains the effective user principal name (UPN).

Security Impact

In Basic authentication the password of the user matching the service username of the Client Service keytab is not validated, if the keytab contains the proper username in addition to the service principal name (SPN).

Hotfix Information

Fixed with following versions of Mindbreeze InSpire On-Premises:

Mindbreeze InSpire 23.6 HF3 Release

Security Update to disable keytab in JAAS login configuration for Basic authentication (MINDBREEZE29751)

Summary

Social Media

Security

Support

Newsletter

Language