packages/pki-core
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-4727

Browse Source 
(cherry picked from commit b46cfc39d739d796eac52be667e29cea5c196fbb)
This commit is contained in:
liningjie 2024-09-29 13:26:59 +08:00 committed by openeuler-sync-bot
parent 488410e35c
commit 237260d6a6
2 changed files with 65 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
backport-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch Normal file
View File

@ -0,0 +1,60 @@
From aa7161ba378caf5cf0471aafb679a842679c8388 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 11 Sep 2023 15:40:32 -0500
Subject: [PATCH] CVE-2023-4727 Fix token authentication bypass vulnerability
Previously the LDAPSecurityDomainSessionTable.sessionExists()
and getStringValue() were using user-provided session ID as
is in an LDAP filter which could be exploited to bypass token
authentication.
To fix the problem the code has been modified to escape all
special characters in the session ID before using it in the
LDAP filter.
Resolves: CVE-2023-4727
---
.../session/LDAPSecurityDomainSessionTable.java | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
index 1783823..fa03c99 100644
--- a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
+++ b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
@@ -31,6 +31,7 @@ import com.netscape.cmscore.apps.EngineConfig;
import com.netscape.cmscore.ldapconn.LDAPConfig;
import com.netscape.cmscore.ldapconn.LdapBoundConnFactory;
import com.netscape.cmscore.ldapconn.PKISocketConfig;
+import com.netscape.cmsutil.ldap.LDAPUtil;
import netscape.ldap.LDAPAttribute;
import netscape.ldap.LDAPAttributeSet;
@@ -179,7 +180,11 @@ public class LDAPSecurityDomainSessionTable
try {
String basedn = ldapConfig.getBaseDN();
String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
- String filter = "(cn=" + sessionId + ")";
+
+ // CVE-2023-4727
+ // escape session ID in LDAP search filter
+ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
+
String[] attrs = { "cn" };
conn = mLdapConnFactory.getConn();
@@ -262,7 +267,11 @@ public class LDAPSecurityDomainSessionTable
try {
String basedn = ldapConfig.getBaseDN();
String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
- String filter = "(cn=" + sessionId + ")";
+
+ // CVE-2023-4727
+ // escape session ID in LDAP search filter
+ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
+
String[] attrs = { attr };
conn = mLdapConnFactory.getConn();
--
2.33.0

6
pki-core.spec
View File

@ -3,7 +3,7 @@
Name: pki-core
Version: 11.0.0
Release: 7
Release: 8
Summary: The PKI Core Package
License: GPLv2 and LGPLv2
URL: http://www.dogtagpki.org/
@ -11,6 +11,7 @@ Source0: https://github.com/dogtagpki/pki/archive/v%{version}/pki-v%
Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
Patch0001: 0001-Disable-access-to-external-entities-when-parsing-XML.patch
Patch3000: backport-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch
BuildRequires: make cmake >= 2.8.9-1 gcc-c++ zip java-latest-openjdk-devel java-latest-openjdk-headless
BuildRequires: ldapjdk >= 4.21.0 apache-commons-cli apache-commons-codec apache-commons-io
@ -456,6 +457,9 @@ fi
%endif
%changelog
* Sun Oct 13 2024 liningjie <liningjie@xfusion.com> - 11.0.0-8
- Fix CVE-2023-4727
* Thu Apr 11 2024 liyanan <liyanan61@h-partners.com> - 11.0.0-7
- Replace unrecognized macros