affects OMERO4 versions 4.4.11 and earlier and OMERO5 versions 5.0.4 and earlier
An error in the bin/omero user add command has allowed manually created users to be created without passwords.
An empty ("") password is used in OMERO for guest users who require no password. When using bin/omero user add interactively, the entered value for the user password was not correctly set, leaving the user with an empty password like the guest account.
OMERO.server 4.4.5 up to and including 4.4.11, and all 5.0 servers prior to 5.0.5.
A remote attacker could possibly login to accounts he/she is not permitted to access. With a list of current users, the attacker could attempt to login as each user.
Note: OMERO accounts which are backed by LDAP are not affected.
Use the provided SQL to disable affected accounts and the provided patches to prevent further empty password creation.
Warning: After running the following SQL, users with empty passwords will be immediately locked out. Either:
will list the users who are affected. To lock accounts, use either:
For a quick check, use this SQL:
select e.id, case when g.id is null then 'inactive' else '' end as active, omename, firstname, lastname, email from password, experimenter e left outer join groupexperimentermap g on ( g.child = e.id and g.parent in ( select id from experimentergroup where name = 'user' ) ) where password.experimenter_id = e.id and password.hash = '' and omename <> 'guest' order by omename asc;
Apply the appropriate patch for your server version in order to prevent further accounts from being created with empty passwords:
patch -p0 < 2014-SV2-user.py-5-0.patch
All OMERO.server users should upgrade to at least 4.4.12 or preferably 5.0.5. The upgraded versions will disallow empty passwords other than the "guest" user, so that all accounts will be locked as if the SQL workaround had been applied. Users will have to reset their passwords.
Further, creating empty passwords for all but the "guest" account is now disallowed, which means that the command
bin/omero user add --no-password is disabled. To change this setting, set