packages/pki-core
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-4727

Browse Source 
(cherry picked from commit 56823097bc66a7a0e521bcbecf002eabc06d8a97)
This commit is contained in:
liningjie 2024-09-29 13:40:01 +08:00 committed by openeuler-sync-bot
parent 0d5d376d7f
commit e719ac29fe
2 changed files with 67 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
backport-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch Normal file
View File

@ -0,0 +1,60 @@
From aa7161ba378caf5cf0471aafb679a842679c8388 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 11 Sep 2023 15:40:32 -0500
Subject: [PATCH] CVE-2023-4727 Fix token authentication bypass vulnerability
Previously the LDAPSecurityDomainSessionTable.sessionExists()
and getStringValue() were using user-provided session ID as
is in an LDAP filter which could be exploited to bypass token
authentication.
To fix the problem the code has been modified to escape all
special characters in the session ID before using it in the
LDAP filter.
Resolves: CVE-2023-4727
---
.../session/LDAPSecurityDomainSessionTable.java | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
index 1783823..fa03c99 100644
--- a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
+++ b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
@@ -31,6 +31,7 @@ import com.netscape.cmscore.apps.EngineConfig;
import com.netscape.cmscore.ldapconn.LDAPConfig;
import com.netscape.cmscore.ldapconn.LdapBoundConnFactory;
import com.netscape.cmscore.ldapconn.PKISocketConfig;
+import com.netscape.cmsutil.ldap.LDAPUtil;
import netscape.ldap.LDAPAttribute;
import netscape.ldap.LDAPAttributeSet;
@@ -179,7 +180,11 @@ public class LDAPSecurityDomainSessionTable
try {
String basedn = ldapConfig.getBaseDN();
String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
- String filter = "(cn=" + sessionId + ")";
+
+ // CVE-2023-4727
+ // escape session ID in LDAP search filter
+ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
+
String[] attrs = { "cn" };
conn = mLdapConnFactory.getConn();
@@ -262,7 +267,11 @@ public class LDAPSecurityDomainSessionTable
try {
String basedn = ldapConfig.getBaseDN();
String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
- String filter = "(cn=" + sessionId + ")";
+
+ // CVE-2023-4727
+ // escape session ID in LDAP search filter
+ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
+
String[] attrs = { attr };
conn = mLdapConnFactory.getConn();
--
2.33.0

8
pki-core.spec
View File

@ -3,13 +3,16 @@
Name: pki-core
Version: 11.0.0
Release: 5
Release: 6
Summary: The PKI Core Package
License: GPLv2 and LGPLv2
URL: http://www.dogtagpki.org/
Source0: https://github.com/dogtagpki/pki/archive/v%{version}/pki-v%{version}.tar.gz
Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
Patch0: CVE-2022-2414.patch
Patch3000: backport-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch
BuildRequires: git make cmake >= 2.8.9-1 gcc-c++ zip java-latest-openjdk-devel java-latest-openjdk-headless
BuildRequires: ldapjdk >= 4.21.0 apache-commons-cli apache-commons-codec apache-commons-io
BuildRequires: apache-commons-lang jakarta-commons-httpclient glassfish-jaxb-api slf4j
@ -455,6 +458,9 @@ fi
%endif
%changelog
* Sun Oct 13 2024 liningjie <liningjie@xfusion.com> - 11.0.0-6
- Fix CVE-2023-4727
* Wed Jun 28 2023 wangkai <13474090681@163.com> - 11.0.0-5
- Fix CVE-2022-2414