2014-SV1 Unicode Passwords
Password-related security vulnerability affecting versions of OMERO4 up to and including 4.4.11 and OMERO5 up to and including 5.0.4
The incorrect encoding of passwords with LATIN-1 rather than UTF-8 caused a reduction in the entropy of passwords with Unicode characters.
Unicode characters in user passwords were being encoded with the LATIN-1 (ISO-8859-1) character set. These extended characters were converted to a subset of the ASCII character set, reducing the strength of the passwords.
OMERO.server up to and including 4.4.11, and 5.0 servers prior to 5.0.5.
A remote attacker could possibly login to accounts he/she is not permitted to access. With a list of current users, the attacker could attempt to login as each user using a limited set of passwords. The primary concern are users with strictly Unicode passwords who are highly vulnerable.
Note: OMERO accounts which are backed by LDAP are not affected.
All OMERO.servers should be upgraded to at least 4.4.12 or preferably 5.0.5. System administrators should request that users who might have used extended characters reset their passwords after upgrading. There is no need to choose a new password.