Personal tools
  • We're Hiring!

You are here: Home Products OMERO Security Vulnerabilities 2014-SV1 Unicode Passwords

2014-SV1 Unicode Passwords

Password-related security vulnerability affecting versions of OMERO4 up to and including 4.4.11 and OMERO5 up to and including 5.0.4

Synopsis

The incorrect encoding of passwords with LATIN-1 rather than UTF-8 caused a reduction in the entropy of passwords with Unicode characters.

Background

Unicode characters in user passwords were being encoded with the LATIN-1 (ISO-8859-1) character set. These extended characters were converted to a subset of the ASCII character set, reducing the strength of the passwords.

Affected packages

OMERO.server up to and including 4.4.11, and 5.0 servers prior to 5.0.5.

Impact

A remote attacker could possibly login to accounts he/she is not permitted to access. With a list of current users, the attacker could attempt to login as each user using a limited set of passwords. The primary concern are users with strictly Unicode passwords who are highly vulnerable.

Note: OMERO accounts which are backed by LDAP are not affected.

Workaround

None.

Resolution

All OMERO.servers should be upgraded to at least 4.4.12 or preferably 5.0.5. System administrators should request that users who might have used extended characters reset their passwords after upgrading. There is no need to choose a new password.

Document Actions