2014-SV2 Empty Passwords

affects OMERO4 versions 4.4.11 and earlier and OMERO5 versions 5.0.4 and earlier

back to Advisories

Synopsis

An error in the bin/omero user add command has allowed manually created users to be created without passwords.

Background

An empty ("") password is used in OMERO for guest users who require no password. When using bin/omero user add interactively, the entered value for the user password was not correctly set, leaving the user with an empty password like the guest account.

Affected Packages

OMERO.server 4.4.5 up to and including 4.4.11, and all 5.0 servers prior to 5.0.5.

Impact

A remote attacker could possibly login to accounts he/she is not permitted to access. With a list of current users, the attacker could attempt to login as each user.

Note: OMERO accounts which are backed by LDAP are not affected.

Workaround

Use the provided SQL to disable affected accounts and the provided patches to prevent further empty password creation.

Warning: After running the following SQL, users with empty passwords will be immediately locked out. Either:

will list the users who are affected. To lock accounts, use either:

For a quick check, use this SQL:

select e.id,
       case when g.id is null then 'inactive' else '' end as active,
       omename, firstname, lastname, email
  from password, experimenter e
  left outer join groupexperimentermap g on (
           g.child = e.id
       and g.parent in (
             select id from experimentergroup where name = 'user'
           )
       )
 where password.experimenter_id = e.id
   and password.hash = ''    
   and omename <> 'guest'
 order by omename asc;
                    

Apply the appropriate patch for your server version in order to prevent further accounts from being created with empty passwords:

For example:

Resolution

All OMERO.server users should upgrade to at least 4.4.12 or preferably 5.0.5. The upgraded versions will disallow empty passwords other than the "guest" user, so that all accounts will be locked as if the SQL workaround had been applied. Users will have to reset their passwords.

Further, creating empty passwords for all but the "guest" account is now disallowed, which means that the command bin/omero user add --no-password is disabled. To change this setting, set omero.security.password_required to false.


back to top