Description
SpringSecurityLdapTemplate explicitly includes the RETURN_OBJECT flag in the SearchControls in order to allow DefaultDirObjectFactory to instantiate an instance of DirContextAdapter when iterating over the SearchResults.
This is convenient and works as intended with the JNDI mechanisms. However, JNDI has some flaws in security. If a malicious user is able to write arbitrary attributes to the LDAP User and the Java Schema is added tot he LDAP instance, then the malicious user leverage built in JDK Deserialization to execute arbitrary code.
Rather than relying on Java Internals to instantiate DirContextAdapter we can instantiate it directly . This works because we know the type of Object that should be initialized. It allows us to remove the RETURN_OBJECT flag which prevents the exploit.
NOTE The risk of this exploit is rather low, because for it to work the user needs to have gained write access to a user in the LDAP instance used to authenticate applications. It also requires the Java LDAP Schema to be installed. However, because the steps to mitigate this are relatively straightforward, we are making these changes to be defensive.