Personal tools
  • We're Hiring!

You are here: Home Products OMERO Security Vulnerabilities 2014-SV2 Empty Passwords

2014-SV2 Empty Passwords

Password-related security vulnerability affecting versions of OMERO4 up to and including 4.4.11 and OMERO5 up to and including 5.0.4.

Synopsis

An error in the bin/omero user add command has allowed manually created users to be created without passwords.

Background

An empty ("") password is used in OMERO for guest users who require no password. When using bin/omero user add interactively, the entered value for the user password was not correctly set, leaving the user with an empty password like the guest account.

Affected packages

OMERO.server between 4.4.5 and 4.4.11 inclusive, and all 5.0 servers prior to 5.0.5.

Impact

A remote attacker could possibly login to accounts he/she is not permitted to access. With a list of current users, the attacker could attempt to login as each user.

Note: OMERO accounts which are backed by LDAP are not affected.

Workaround

Use the provided SQL to disable affected accounts and the provided patches to prevent further empty password creation.

Warning: After running the following SQL, users with empty passwords will be immediately locked out.

Either

  • sql/psql/OMERO5.0__0/2014-SV2-empty-passwords-list.sql (5.0.5), or
  • sql/psql/OMERO4.4__0/2014-SV2-empty-passwords-list.sql (4.4.12)

will list the users which are affected. To lock the accounts, use either:

  • sql/psql/OMERO5.0__0/2014-SV2-empty-passwords-fix.sql (5.0.5), or
  • sql/psql/OMERO4.4__0/2014-SV2-empty-passwords-fix.sql (4.4.12)

For a quick check, use this SQL:

    select e.id,
           case when g.id is null then 'inactive' else '' end as active,
           omename, firstname, lastname, email
      from password, experimenter e
      left outer join groupexperimentermap g on (
               g.child = e.id
           and g.parent in (
                 select id from experimentergroup where name = 'user'
               )
           )
     where password.experimenter_id = e.id
       and password.hash = ''
       and omename <> 'guest'
     order by omename asc;

Apply the appropriate patch for your server version in order to prevent further accounts from being created with empty passwords:

For example:

  • cd OMERO_DIST
  • patch -p0 < 2014-SV2-user.py-5-0.patch

Resolution

All OMERO.server users should upgrade to at least 4.4.12 or preferably 5.0.5. The upgraded versions will disallow empty passwords other than the "guest" user, so that all accounts will be locked as if the SQL workaround had been applied. Users will have to reset their passwords.

Further, creating empty passwords for all but the "guest" account is now disallowed, which means that the command bin/omero user add --no-password is disabled. To change this setting, set omero.security.password_required to false.

Document Actions