rpms / pki-core

Clone
Source Code
GIT

Blame SOURCES/pki-core-rhel-7-9-rhcs-9-7-CVE-2023-4727.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-10.6 c8-stream-10.6 c8s-stream-10.6 c9 c9-beta
  1.   c7
  2.   SOURCES
  3.   pki-core-rhel-7-9-rhcs-9-7-CVE-2023-4727.patch
Blob History Raw
18a1d4 
From 2d152f06a3f3c395015622bce084c887190e07b2 Mon Sep 17 00:00:00 2001
18a1d4 
From: Jack Magne <jmagne@redhat.com>
18a1d4 
Date: Tue, 16 Apr 2024 14:22:18 -0400
18a1d4 
Subject: [PATCH] Subject: [PATCH] CVE-2023-4727 Fix token authentication
18a1d4 
 bypass vulnerability
18a1d4
18a1d4 
Previously the LDAPSecurityDomainSessionTable.sessionExists()
18a1d4 
and getStringValue() were using user-provided session ID as
18a1d4 
is in an LDAP filter which could be exploited to bypass token
18a1d4 
authentication.
18a1d4
18a1d4 
To fix the problem the code has been modified to escape all
18a1d4 
special characters in the session ID before using it in the
18a1d4 
LDAP filter.
18a1d4
18a1d4 
Resolves: CVE-2023-4727
18a1d4 
---
18a1d4 
 .../session/LDAPSecurityDomainSessionTable.java     | 13 +++++++++++--
18a1d4 
 1 file changed, 11 insertions(+), 2 deletions(-)
18a1d4 
---
18a1d4 
 .../cmscore/session/LDAPSecurityDomainSessionTable.java    | 14 ++++++++++++--
18a1d4 
 1 file changed, 12 insertions(+), 2 deletions(-)
18a1d4
18a1d4 
diff --git a/base/server/cmscore/src/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java b/base/server/cmscore/src/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
18a1d4 
index 5fd58d9..a742187 100644
18a1d4 
--- a/base/server/cmscore/src/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
18a1d4 
+++ b/base/server/cmscore/src/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
18a1d4 
@@ -28,6 +28,8 @@ import com.netscape.certsrv.base.ISecurityDomainSessionTable;
18a1d4 
 import com.netscape.certsrv.base.PKIException;
18a1d4 
 import com.netscape.certsrv.ldap.ELdapException;
18a1d4 
 import com.netscape.certsrv.ldap.ILdapConnFactory;
18a1d4 
+import com.netscape.cmsutil.ldap.LDAPUtil;
18a1d4 
+
18a1d4
18a1d4 
 import netscape.ldap.LDAPAttribute;
18a1d4 
 import netscape.ldap.LDAPAttributeSet;
18a1d4 
@@ -154,7 +156,11 @@ public class LDAPSecurityDomainSessionTable
18a1d4 
         try {
18a1d4 
             String basedn = cs.getString("internaldb.basedn");
18a1d4 
             String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
18a1d4 
-            String filter = "(cn=" + sessionId + ")";
18a1d4 
+
18a1d4 
+            // CVE-2023-4727
18a1d4 
+            // escape session ID in LDAP search filter
18a1d4 
+            String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
18a1d4 
+
18a1d4 
             String[] attrs = { "cn" };
18a1d4
18a1d4 
             conn = mLdapConnFactory.getConn();
18a1d4 
@@ -229,7 +235,11 @@ public class LDAPSecurityDomainSessionTable
18a1d4 
         try {
18a1d4 
             String basedn = cs.getString("internaldb.basedn");
18a1d4 
             String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
18a1d4 
-            String filter = "(cn=" + sessionId + ")";
18a1d4 
+
18a1d4 
+            // CVE-2023-4727
18a1d4 
+            // escape session ID in LDAP search filter
18a1d4 
+            String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
18a1d4 
+
18a1d4 
             String[] attrs = { attr };
18a1d4
18a1d4 
             conn = mLdapConnFactory.getConn();
18a1d4 
--
18a1d4 
1.8.3.1
18a1d4

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation