2014-SV2 Empty Passwords
Password-related security vulnerability affecting versions of OMERO4 up to and including 4.4.11 and OMERO5 up to and including 5.0.4.
An error in the
bin/omero user add command has allowed manually created users to be created without passwords.
An empty ("") password is used in OMERO for guest users who require no password. When using
bin/omero user add interactively, the entered value for the user password was not correctly set, leaving the user with an empty password like the guest account.
OMERO.server between 4.4.5 and 4.4.11 inclusive, and all 5.0 servers prior to 5.0.5.
A remote attacker could possibly login to accounts he/she is not permitted to access. With a list of current users, the attacker could attempt to login as each user.
Note: OMERO accounts which are backed by LDAP are not affected.
Use the provided SQL to disable affected accounts and the provided patches to prevent further empty password creation.
Warning: After running the following SQL, users with empty passwords will be immediately locked out.
will list the users which are affected. To lock the accounts, use either:
For a quick check, use this SQL:
select e.id, case when g.id is null then 'inactive' else '' end as active, omename, firstname, lastname, email from password, experimenter e left outer join groupexperimentermap g on ( g.child = e.id and g.parent in ( select id from experimentergroup where name = 'user' ) ) where password.experimenter_id = e.id and password.hash = '' and omename <> 'guest' order by omename asc;
Apply the appropriate patch for your server version in order to prevent further accounts from being created with empty passwords:
patch -p0 < 2014-SV2-user.py-5-0.patch
All OMERO.server users should upgrade to at least 4.4.12 or preferably 5.0.5. The upgraded versions will disallow empty passwords other than the "guest" user, so that all accounts will be locked as if the SQL workaround had been applied. Users will have to reset their passwords.
Further, creating empty passwords for all but the "guest" account is now disallowed, which means that the command
bin/omero user add --no-password is disabled. To change this setting, set