CVE-2023-4501: Authentication bypass in OpenText (Micro Focus) Enterprise Server
First published: Tue Sep 12 2023(Updated: )
User authentication with username and password credentials is ineffective in OpenText (Micro Focus) Visual COBOL, COBOL Server, Enterprise Developer, and Enterprise Server (including product variants such as Enterprise Test Server), versions 7.0 patch updates 19 and 20, 8.0 patch updates 8 and 9, and 9.0 patch update 1, when LDAP-based authentication is used with certain configurations. When the vulnerability is active, authentication succeeds with any valid username, regardless of whether the password is correct; it may also succeed with an invalid username (and any password). This allows an attacker with access to the product to impersonate any user. Mitigations: The issue is corrected in the upcoming patch update for each affected product. Product overlays and workaround instructions are available through OpenText Support. The vulnerable configurations are believed to be uncommon. Administrators can test for the vulnerability in their installations by attempting to sign on to a Visual COBOL or Enterprise Server component such as ESCWA using a valid username and incorrect password.
Credit: security@opentext.com security@opentext.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microfocus Cobol Server | =7.0-patch_update_19 | |
| Microfocus Cobol Server | =7.0-patch_update_20 | |
| Microfocus Cobol Server | =8.0-patch_update_8 | |
| Microfocus Cobol Server | =8.0-patch_update_9 | |
| Microfocus Cobol Server | =9.0-patch_update_1 | |
| Microfocus Enterprise Developer | =7.0-patch_update_19 | |
| Microfocus Enterprise Developer | =7.0-patch_update_20 | |
| Microfocus Enterprise Developer | =8.0-patch_update_8 | |
| Microfocus Enterprise Developer | =8.0-patch_update_9 | |
| Microfocus Enterprise Developer | =9.0-patch_update_1 | |
| Microfocus Enterprise Server | =7.0-patch_update_19 | |
| Microfocus Enterprise Server | =7.0-patch_update_20 | |
| Microfocus Enterprise Server | =8.0-patch_update_8 | |
| Microfocus Enterprise Server | =8.0-patch_update_9 | |
| Microfocus Enterprise Server | =9.0-patch_update_1 | |
| Microfocus Enterprise Test Server | =7.0-patch_update_19 | |
| Microfocus Enterprise Test Server | =7.0-patch_update_20 | |
| Microfocus Enterprise Test Server | =8.0-patch_update_8 | |
| Microfocus Enterprise Test Server | =8.0-patch_update_9 | |
| Microfocus Enterprise Test Server | =9.0-patch_update_1 | |
| Microfocus Visual Cobol | =7.0-patch_update_19 | |
| Microfocus Visual Cobol | =7.0-patch_update_20 | |
| Microfocus Visual Cobol | =8.0-patch_update_8 | |
| Microfocus Visual Cobol | =8.0-patch_update_9 | |
| Microfocus Visual Cobol | =9.0-patch_update_1 | |
| =7.0-patch_update_19 | ||
| =7.0-patch_update_20 | ||
| =8.0-patch_update_8 | ||
| =8.0-patch_update_9 | ||
| =9.0-patch_update_1 | ||
| =7.0-patch_update_19 | ||
| =7.0-patch_update_20 | ||
| =8.0-patch_update_8 | ||
| =8.0-patch_update_9 | ||
| =9.0-patch_update_1 | ||
| =7.0-patch_update_19 | ||
| =7.0-patch_update_20 | ||
| =8.0-patch_update_8 | ||
| =8.0-patch_update_9 | ||
| =9.0-patch_update_1 | ||
| =7.0-patch_update_19 | ||
| =7.0-patch_update_20 | ||
| =8.0-patch_update_8 | ||
| =8.0-patch_update_9 | ||
| =9.0-patch_update_1 | ||
| =7.0-patch_update_19 | ||
| =7.0-patch_update_20 | ||
| =8.0-patch_update_8 | ||
| =8.0-patch_update_9 | ||
| =9.0-patch_update_1 |
Remedy
Install 7.0 Patch Update 21, 8.0 Patch Update 10, or 9.0 Patch Update 2, or later, when available. Hotfix overlays are available now for common platforms and can be produced for other platforms; contact OpenText Support to request a hotfix overlay.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-4501?
The severity of CVE-2023-4501 is critical with a CVSS score of 9.8.
Which software versions are affected by CVE-2023-4501?
CVE-2023-4501 affects OpenText (Micro Focus) Visual COBOL, COBOL Server, Enterprise Developer, and Enterprise Server versions 7.0 patch updates 19 and 20, 8.0 patch updates 8 and 9.
How does CVE-2023-4501 impact user authentication?
User authentication with username and password credentials is ineffective in the affected versions of OpenText (Micro Focus) software.
How can I fix CVE-2023-4501?
To fix CVE-2023-4501, it is recommended to apply the relevant patch updates provided by OpenText (Micro Focus) to the affected software versions.
Where can I find more information about CVE-2023-4501?
More information about CVE-2023-4501 can be found in the article linked on the Micro Focus portal: https://portal.microfocus.com/s/article/KM000021287
- collector/nvd-index
- agent/weakness
- agent/author
- agent/type
- agent/references
- agent/title
- agent/severity
- agent/remedy
- agent/description
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/microfocus
- canonical/microfocus cobol server
- version/microfocus cobol server/7.0-patch_update_19
- version/microfocus cobol server/7.0-patch_update_20
- version/microfocus cobol server/8.0-patch_update_8
- version/microfocus cobol server/8.0-patch_update_9
- version/microfocus cobol server/9.0-patch_update_1
- canonical/microfocus enterprise developer
- version/microfocus enterprise developer/7.0-patch_update_19
- version/microfocus enterprise developer/7.0-patch_update_20
- version/microfocus enterprise developer/8.0-patch_update_8
- version/microfocus enterprise developer/8.0-patch_update_9
- version/microfocus enterprise developer/9.0-patch_update_1
- canonical/microfocus enterprise server
- version/microfocus enterprise server/7.0-patch_update_19
- version/microfocus enterprise server/7.0-patch_update_20
- version/microfocus enterprise server/8.0-patch_update_8
- version/microfocus enterprise server/8.0-patch_update_9
- version/microfocus enterprise server/9.0-patch_update_1
- canonical/microfocus enterprise test server
- version/microfocus enterprise test server/7.0-patch_update_19
- version/microfocus enterprise test server/7.0-patch_update_20
- version/microfocus enterprise test server/8.0-patch_update_8
- version/microfocus enterprise test server/8.0-patch_update_9
- version/microfocus enterprise test server/9.0-patch_update_1
- canonical/microfocus visual cobol
- version/microfocus visual cobol/7.0-patch_update_19
- version/microfocus visual cobol/7.0-patch_update_20
- version/microfocus visual cobol/8.0-patch_update_8
- version/microfocus visual cobol/8.0-patch_update_9
- version/microfocus visual cobol/9.0-patch_update_1