Spring Microsoft 安全公告 ADV190023 的 Ldap 影响(LDAP 通道绑定和 LDAP 签名)

Spring Ldap Impact of Microsoft Security Advisory ADV190023 (LDAP channel binding and LDAP signing)

我们正在使用 Spring 安全 Ldap 库 (v4.0.4) 从我们客户端的 Active Directory (ldap://domain:389) 中获取用户列表,并对他们进行身份验证以登录我们的网络应用程序。

Microsoft 最近发布了启用 LDAP 通道绑定和 LDAP 签名的公告: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

"LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers. A set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory Domain Controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. This can open Active directory domain controllers to elevation of privilege vulnerabilities."

我们被问及在他们的服务器上启用 LDAP 通道绑定和 LDAP 签名是否会影响我们的流程。我在文档中找不到有关这些的信息: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#ldap

Spring 安全 Ldap 库 (v4.0.4) 支持这些吗? 如果是这样,我们是否应该更改任何配置以确保事情不受影响?

Spring Security Ldap Library (v4.0.4) released in February 2016 which is too old to support the LDAP Channel Binding and the LDAP Signing for Microsoft Security Advisory 发表于 2019 年 8 月。

我会建议将 Spring 安全 Ldap 库更新为 new stable version 5.3.0

这是我从项目的 Github 页面获得的官方答案,对于可能觉得有用的人:

https://github.com/spring-projects/spring-security/issues/8037

No, Spring Security's AD support only does simple binds with the user's username and password - the only security enhancement available is to use TLS. If an application needs channel binding, I'd imagine it would be via Java's GSS-API.

Since 4.0.x is no longer a supported branch, any added support would very likely go into modern versions of Spring Security.

Of course, if you find any issues along the way, or would like to suggest a feature, then don't hesitate to open another issue and maybe link it back to this one.