diff --git a/0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch b/0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch new file mode 100644 index 0000000000000000000000000000000000000000..b651e31d01952b061893d5c54c304bcfa43f3d3e --- /dev/null +++ b/0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch @@ -0,0 +1,60 @@ +From aa7161ba378caf5cf0471aafb679a842679c8388 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 11 Sep 2023 15:40:32 -0500 +Subject: [PATCH] CVE-2023-4727 Fix token authentication bypass vulnerability + +Previously the LDAPSecurityDomainSessionTable.sessionExists() +and getStringValue() were using user-provided session ID as +is in an LDAP filter which could be exploited to bypass token +authentication. + +To fix the problem the code has been modified to escape all +special characters in the session ID before using it in the +LDAP filter. + +Resolves: CVE-2023-4727 +--- + .../session/LDAPSecurityDomainSessionTable.java | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java +index 1783823..fa03c99 100644 +--- a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java ++++ b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java +@@ -31,6 +31,7 @@ import com.netscape.cmscore.apps.EngineConfig; + import com.netscape.cmscore.ldapconn.LDAPConfig; + import com.netscape.cmscore.ldapconn.LdapBoundConnFactory; + import com.netscape.cmscore.ldapconn.PKISocketConfig; ++import com.netscape.cmsutil.ldap.LDAPUtil; + + import netscape.ldap.LDAPAttribute; + import netscape.ldap.LDAPAttributeSet; +@@ -179,7 +180,11 @@ public class LDAPSecurityDomainSessionTable + try { + String basedn = ldapConfig.getBaseDN(); + String sessionsdn = "ou=sessions,ou=Security Domain," + basedn; +- String filter = "(cn=" + sessionId + ")"; ++ ++ // CVE-2023-4727 ++ // escape session ID in LDAP search filter ++ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")"; ++ + String[] attrs = { "cn" }; + + conn = mLdapConnFactory.getConn(); +@@ -262,7 +267,11 @@ public class LDAPSecurityDomainSessionTable + try { + String basedn = ldapConfig.getBaseDN(); + String sessionsdn = "ou=sessions,ou=Security Domain," + basedn; +- String filter = "(cn=" + sessionId + ")"; ++ ++ // CVE-2023-4727 ++ // escape session ID in LDAP search filter ++ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")"; ++ + String[] attrs = { attr }; + + conn = mLdapConnFactory.getConn(); +-- +2.33.0 + diff --git a/pki-core.spec b/pki-core.spec index ca3ca24f847adf72c66b8bccae472aaa67547641..83f066897722629ee025b83698e9e12f7d3fa2ef 100644 --- a/pki-core.spec +++ b/pki-core.spec @@ -3,12 +3,15 @@ Name: pki-core Version: 11.0.0 -Release: 4 +Release: 5 Summary: The PKI Core Package License: GPLv2 and LGPLv2 URL: http://www.dogtagpki.org/ Source0: https://github.com/dogtagpki/pki/archive/v%{version}/pki-v%{version}.tar.gz Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz + +Patch0001: 0001-CVE-2023-4727-Fix-token-authentication-bypass-vulner.patch + BuildRequires: make cmake >= 2.8.9-1 gcc-c++ zip java-latest-openjdk-devel java-latest-openjdk-headless BuildRequires: ldapjdk >= 4.21.0 apache-commons-cli apache-commons-codec apache-commons-io BuildRequires: apache-commons-lang jakarta-commons-httpclient glassfish-jaxb-api slf4j @@ -452,6 +455,9 @@ fi %endif %changelog +* Sun Oct 13 2024 liningjie - 11.0.0-5 +- Fix CVE-2023-4727 + * Thu Dec 01 2022 xu_ping - 11.0.0-4 - remove unuse buildrequires git packages