Progress patches authentication bug in OpenEdge

By
Follow google news

All supported versions affected.

Progress Software’s OpenEdge authentication gateway and AdminServer need to be patched against a critical authentication bypass bug present in all supported releases of OpenEdge.

Progress patches authentication bug in OpenEdge

According to the company’s advisory, the bug affects OpenEdge Release 11.7.18 and earlier, OpenEdge 12.2.13 and earlier, and OpenEdge 12.8.0.

The bug’s Mitre entry adds: “Certain unexpected content passed into the credentials can lead to unauthorised access without proper authentication.”

Progress said the vulnerability manifests when the OpenEdge authentication gateway (OEAG) is configured with an OpenEdge domain that uses the operating system’s local authentication provider.

Another vulnerable scenario is when the admin server connection is made by OpenEdge Explorer and OpenEdge management, because this process also uses the OS’s local authentication provider.

AdminServer logins are always vulnerable, Progress explained, because they only support OS local logins.

The OEAG, on the other hand, “is only vulnerable when an administrator has configured an OpenEdge domain to use the OS local authentication provider”, the advisory stated.

“The vulnerability incorrectly returns authentication success from an OE local domain if there is a failure to properly handle certain types of usernames and passwords.”

Add iTnews as your trusted source

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Microsoft device telemetry key to unmasking alleged Scattered Spider hacker

Microsoft device telemetry key to unmasking alleged Scattered Spider hacker

Bendigo Bank aims to have Australia's "first agentic SOC"

Bendigo Bank aims to have Australia's "first agentic SOC"

Services Australia describes fraud, debt-related machine learning use cases

Services Australia describes fraud, debt-related machine learning use cases

ASD to retire Essential Eight cyber security framework within next two years

ASD to retire Essential Eight cyber security framework within next two years

Log In

  |  Forgot your password?