affects OMERO4 versions 4.4.11 and earlier and OMERO5 versions 5.0.4 and earlier
The incorrect encoding of passwords with LATIN-1 rather than UTF-8 caused a reduction in the entropy of passwords with Unicode characters.
Unicode characters in user passwords were being encoded with the LATIN-1 (ISO-8859-1) character set. These extended characters were converted to a subset of the ASCII character set, reducing the strength of the passwords.
OMERO.server up to and including 4.4.11, and 5.0 servers prior to 5.0.5.
A remote attacker could possibly login to accounts he/she is not permitted to access. With a list of current users, the attacker could attempt to login as each user using a limited set of passwords. The primary concern are users with strictly Unicode passwords who are highly vulnerable.
Note: OMERO accounts which are backed by LDAP are not affected.
None
All OMERO.servers should be upgraded to at least 4.4.12 or preferably 5.0.5. System administrators should request that users who might have used extended characters reset their passwords after upgrading. There is no need to choose a new password.
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.04.18