Red Hat Security Advisory 2013-0231-01 - JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. When using LDAP authentication with either the "ldap" configuration entry or the provided LDAP login modules, empty passwords were allowed by default. An attacker could use this flaw to bypass intended authentication by providing an empty password for a valid username, as the LDAP server may recognize this as an 'unauthenticated authentication'. This update sets the allowEmptyPasswords option for the LDAP login modules to false if the option is not already configured.
7a55e18c14409d7e71117993e7cc7187493ae79ffaf0c9fba0d158410ce27ce5