rpms / pki-core

Clone
Source Code
GIT

Files

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-10.6 c8-stream-10.6 c8s-stream-10.6 c9 c9-beta
  1.   c7
  2.   SOURCES
  3.   pki-core-rhel-7-9-rhcs-9-7-CVE-2023-4727.patch
Blob Blame History Raw 
From 2d152f06a3f3c395015622bce084c887190e07b2 Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne@redhat.com>
Date: Tue, 16 Apr 2024 14:22:18 -0400
Subject: [PATCH] Subject: [PATCH] CVE-2023-4727 Fix token authentication
 bypass vulnerability

Previously the LDAPSecurityDomainSessionTable.sessionExists()
and getStringValue() were using user-provided session ID as
is in an LDAP filter which could be exploited to bypass token
authentication.

To fix the problem the code has been modified to escape all
special characters in the session ID before using it in the
LDAP filter.

Resolves: CVE-2023-4727
---
 .../session/LDAPSecurityDomainSessionTable.java     | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)
---
 .../cmscore/session/LDAPSecurityDomainSessionTable.java    | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/base/server/cmscore/src/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java b/base/server/cmscore/src/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
index 5fd58d9..a742187 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
@@ -28,6 +28,8 @@ import com.netscape.certsrv.base.ISecurityDomainSessionTable;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.ldap.ELdapException;
 import com.netscape.certsrv.ldap.ILdapConnFactory;
+import com.netscape.cmsutil.ldap.LDAPUtil;
+
 
 import netscape.ldap.LDAPAttribute;
 import netscape.ldap.LDAPAttributeSet;
@@ -154,7 +156,11 @@ public class LDAPSecurityDomainSessionTable
         try {
             String basedn = cs.getString("internaldb.basedn");
             String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
-            String filter = "(cn=" + sessionId + ")";
+
+            // CVE-2023-4727
+            // escape session ID in LDAP search filter
+            String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
+
             String[] attrs = { "cn" };
 
             conn = mLdapConnFactory.getConn();
@@ -229,7 +235,11 @@ public class LDAPSecurityDomainSessionTable
         try {
             String basedn = cs.getString("internaldb.basedn");
             String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
-            String filter = "(cn=" + sessionId + ")";
+
+            // CVE-2023-4727
+            // escape session ID in LDAP search filter
+            String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
+
             String[] attrs = { attr };
 
             conn = mLdapConnFactory.getConn();
-- 
1.8.3.1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation