diff --git a/backport-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch b/backport-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch new file mode 100644 index 0000000..b651e31 --- /dev/null +++ b/backport-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch @@ -0,0 +1,60 @@ +From aa7161ba378caf5cf0471aafb679a842679c8388 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 11 Sep 2023 15:40:32 -0500 +Subject: [PATCH] CVE-2023-4727 Fix token authentication bypass vulnerability + +Previously the LDAPSecurityDomainSessionTable.sessionExists() +and getStringValue() were using user-provided session ID as +is in an LDAP filter which could be exploited to bypass token +authentication. + +To fix the problem the code has been modified to escape all +special characters in the session ID before using it in the +LDAP filter. + +Resolves: CVE-2023-4727 +--- + .../session/LDAPSecurityDomainSessionTable.java | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java +index 1783823..fa03c99 100644 +--- a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java ++++ b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java +@@ -31,6 +31,7 @@ import com.netscape.cmscore.apps.EngineConfig; + import com.netscape.cmscore.ldapconn.LDAPConfig; + import com.netscape.cmscore.ldapconn.LdapBoundConnFactory; + import com.netscape.cmscore.ldapconn.PKISocketConfig; ++import com.netscape.cmsutil.ldap.LDAPUtil; + + import netscape.ldap.LDAPAttribute; + import netscape.ldap.LDAPAttributeSet; +@@ -179,7 +180,11 @@ public class LDAPSecurityDomainSessionTable + try { + String basedn = ldapConfig.getBaseDN(); + String sessionsdn = "ou=sessions,ou=Security Domain," + basedn; +- String filter = "(cn=" + sessionId + ")"; ++ ++ // CVE-2023-4727 ++ // escape session ID in LDAP search filter ++ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")"; ++ + String[] attrs = { "cn" }; + + conn = mLdapConnFactory.getConn(); +@@ -262,7 +267,11 @@ public class LDAPSecurityDomainSessionTable + try { + String basedn = ldapConfig.getBaseDN(); + String sessionsdn = "ou=sessions,ou=Security Domain," + basedn; +- String filter = "(cn=" + sessionId + ")"; ++ ++ // CVE-2023-4727 ++ // escape session ID in LDAP search filter ++ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")"; ++ + String[] attrs = { attr }; + + conn = mLdapConnFactory.getConn(); +-- +2.33.0 + diff --git a/pki-core.spec b/pki-core.spec index d43acd8..59e1547 100644 --- a/pki-core.spec +++ b/pki-core.spec @@ -3,13 +3,16 @@ Name: pki-core Version: 11.0.0 -Release: 5 +Release: 6 Summary: The PKI Core Package License: GPLv2 and LGPLv2 URL: http://www.dogtagpki.org/ Source0: https://github.com/dogtagpki/pki/archive/v%{version}/pki-v%{version}.tar.gz Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz + Patch0: CVE-2022-2414.patch +Patch3000: backport-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch + BuildRequires: git make cmake >= 2.8.9-1 gcc-c++ zip java-latest-openjdk-devel java-latest-openjdk-headless BuildRequires: ldapjdk >= 4.21.0 apache-commons-cli apache-commons-codec apache-commons-io BuildRequires: apache-commons-lang jakarta-commons-httpclient glassfish-jaxb-api slf4j @@ -455,6 +458,9 @@ fi %endif %changelog +* Sun Oct 13 2024 liningjie - 11.0.0-6 +- Fix CVE-2023-4727 + * Wed Jun 28 2023 wangkai <13474090681@163.com> - 11.0.0-5 - Fix CVE-2022-2414