Progress Software’s OpenEdge authentication gateway and AdminServer need to be patched against a critical authentication bypass bug present in all supported releases of OpenEdge.
According to the company’s advisory, the bug affects OpenEdge Release 11.7.18 and earlier, OpenEdge 12.2.13 and earlier, and OpenEdge 12.8.0.
The bug’s Mitre entry adds: “Certain unexpected content passed into the credentials can lead to unauthorised access without proper authentication.”
Progress said the vulnerability manifests when the OpenEdge authentication gateway (OEAG) is configured with an OpenEdge domain that uses the operating system’s local authentication provider.
Another vulnerable scenario is when the admin server connection is made by OpenEdge Explorer and OpenEdge management, because this process also uses the OS’s local authentication provider.
AdminServer logins are always vulnerable, Progress explained, because they only support OS local logins.
The OEAG, on the other hand, “is only vulnerable when an administrator has configured an OpenEdge domain to use the OS local authentication provider”, the advisory stated.
“The vulnerability incorrectly returns authentication success from an OE local domain if there is a failure to properly handle certain types of usernames and passwords.”