CVE-2024-38829

1. Affected product: Spring LDAP
2. Affected packages:
   • spring-ldap-core
   • spring-ldap-odm
3. Affected versions:
   • All versions prior to 2.4.0
   • 2.4.0 – 2.4.3
   • 3.0.0 – 3.0.9
   • 3.1.0 – 3.1.7
   • 3.2.0 – 3.2.7
4. GitHub repository:
   • https://github.com/spring-projects/spring-ldap
5. Published packages:
   • https://mvnrepository.com/artifact/org.springframework.ldap/spring-ldap-core
   • https://mvnrepository.com/artifact/org.springframework.ldap/spring-ldap-odm
6. Fixed In: Open source community version 2.4.4 (credit: Josh Cummings) and in ELS for Spring LDAP v2.4.4.TuxCare, which relies on version 2.4.4 as a baseline.

The String.toLowerCase() and String.toUpperCase() methods in Java use locale-specific rules for case conversion. These rules can differ greatly depending on the locale, which could lead to unexpected results when comparing or transforming strings. For instance, the French locale has unique case-mapping rules for certain characters like ‘œ’ and ‘oe’, in German locale ‘ß’ and ‘ss’, etc. which deviate from the default behavior.

• The German lowercase “ß” is sometimes replaced with “ss” in locale-sensitive transformations.
• This can break authentication, security checks, or text comparisons if a system expects “straße” but instead gets “strasse“.
• If a username or password contains “ß”, it may not match its uppercase counterpart properly in case-insensitive string comparisons, leading to security vulnerabilities or authentication failures.

1. Set Up a Spring Security Application:
   • Create a Spring Boot application with Spring Security configured for role-based access control.​
2. Define Roles with Case Variations:
   • Assign roles to users where the role names differ only in case (e.g., “ADMIN” and “admin”).
3. Implement Case Transformation in Authorization Logic:
   • Incorporate String.toLowerCase() or String.toUpperCase() in the authorization logic to normalize role names.​
4. Set the Application Locale to One with Unique Case Rules:
   • Configure the application to use a locale with special case mappings, such as Turkish (tr-TR), where for example case-mapping rules for certain characters, such as ‘i’ and ‘I’ in the Turkish locale, can differ from the default behavior.
5. Attempt to Access Protected Resources:
   • Log in as a user with a specific role and attempt to access resources protected by role-based access control.​

Spring LDAP 2.4.x is no longer supported by the open source community, as its End of Life date is 2023-06-30. This simply means that the version from that date does not receive any updates to address this issue.

‍Users of the affected components should apply one of the following mitigations:

• Implement TuxCare’s Endless Lifecycle Support (ELS) for Spring, which delivers long-term security patches for end-of-life Spring project versions, including the  versions impacted by this CVE.
• Just upgrade to the 2.4.4 open source community version and accept the risk of not getting any further security updates from the community.
• Alternatively, make the effort to upgrade to the newer still supported Spring Security open source versions that have integrated the fix, e.g. 3.2.11

Do you need a fix for this vulnerability for any other Spring Security version? Please contact us, we are here to help you!

• https://github.com/advisories/GHSA-mqvr-2rp8-j7h4
• https://nvd.nist.gov/vuln/detail/CVE-2024-38829
• https://spring.io/security/cve-2024-38829