Okta AD/LDAP Delegated Authentication - Username Above 52 Characters Security Advisory

[arielkr256]

Background

On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. Under a specific set of conditions, listed below, this could allow users to authenticate by providing the username with the stored cache key of a previous successful authentication.

Customers meeting the pre-conditions should investigate their Okta System Log for unexpected authentications from usernames greater than 52 characters between the period of July 23rd, 2024 to October 30th, 2024.

Changes

• Saved query to investigate unexpected authentications from usernames greater than 52 characters between the period of July 23rd, 2024 to October 30th, 2024.

Testing

• tested in production Okta environment

[github-actions[bot]]

:scream: looks like some things could be wrong with the packs

[INFO][root]: ignoring file dependabot.yml