Impact
There is a vulnerability allowing to brute-force attacks on local user authentication. If you are using the file authentication provider (i.e. not an LDAP/AD/radius server) with bcrypt password storage (introduced by default since 6.1), you should upgrade your Rudder server to one of these versions.
You can find more details on the possible exploitation here: https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/.
Patches
This bug has been fixed in Rudder 6.1.13 and 6.2.7 which were released on 2021/05/18.
Workarounds
Disable local accounts until upgrade.
References
Impact
There is a vulnerability allowing to brute-force attacks on local user authentication. If you are using the file authentication provider (i.e. not an LDAP/AD/radius server) with
bcryptpassword storage (introduced by default since 6.1), you should upgrade your Rudder server to one of these versions.You can find more details on the possible exploitation here: https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/.
Patches
This bug has been fixed in Rudder 6.1.13 and 6.2.7 which were released on 2021/05/18.
Workarounds
Disable local accounts until upgrade.
References