From 91c47425790af81868d199327bca108b97557dfa Mon Sep 17 00:00:00 2001 From: liningjie Date: Sun, 29 Sep 2024 14:03:10 +0800 Subject: [PATCH] Fix CVE-2023-4727 --- CVE-2023-4727.patch | 60 +++++++++++++++++++++++++++++++++++++++++++++ pki-core.spec | 6 ++++- 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-4727.patch diff --git a/CVE-2023-4727.patch b/CVE-2023-4727.patch new file mode 100644 index 0000000..8b53475 --- /dev/null +++ b/CVE-2023-4727.patch @@ -0,0 +1,60 @@ +From aa7161ba378caf5cf0471aafb679a842679c8388 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 11 Sep 2023 15:40:32 -0500 +Subject: [PATCH] CVE-2023-4727 Fix token authentication bypass vulnerability + +Previously the LDAPSecurityDomainSessionTable.sessionExists() +and getStringValue() were using user-provided session ID as +is in an LDAP filter which could be exploited to bypass token +authentication. + +To fix the problem the code has been modified to escape all +special characters in the session ID before using it in the +LDAP filter. + +Resolves: CVE-2023-4727 +--- + .../session/LDAPSecurityDomainSessionTable.java | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/base/server/cmscore/src/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java b/base/server/cmscore/src/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java +index 2e3bdf1..6253066 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java +@@ -29,6 +29,7 @@ import com.netscape.certsrv.ldap.ELdapException; + import com.netscape.cmscore.apps.CMS; + import com.netscape.cmscore.apps.CMSEngine; + import com.netscape.cmscore.ldapconn.LdapBoundConnFactory; ++import com.netscape.cmsutil.ldap.LDAPUtil; + + import netscape.ldap.LDAPAttribute; + import netscape.ldap.LDAPAttributeSet; +@@ -166,7 +167,11 @@ public class LDAPSecurityDomainSessionTable + try { + String basedn = cs.getString("internaldb.basedn"); + String sessionsdn = "ou=sessions,ou=Security Domain," + basedn; +- String filter = "(cn=" + sessionId + ")"; ++ ++ // CVE-2023-4727 ++ // escape session ID in LDAP search filter ++ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")"; ++ + String[] attrs = { "cn" }; + + conn = mLdapConnFactory.getConn(); +@@ -244,7 +249,11 @@ public class LDAPSecurityDomainSessionTable + try { + String basedn = cs.getString("internaldb.basedn"); + String sessionsdn = "ou=sessions,ou=Security Domain," + basedn; +- String filter = "(cn=" + sessionId + ")"; ++ ++ // CVE-2023-4727 ++ // escape session ID in LDAP search filter ++ String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")"; ++ + String[] attrs = { attr }; + + conn = mLdapConnFactory.getConn(); +-- +2.33.0 + diff --git a/pki-core.spec b/pki-core.spec index 9e648ea..e978ba5 100644 --- a/pki-core.spec +++ b/pki-core.spec @@ -4,7 +4,7 @@ Name: pki-core Version: 10.7.3 -Release: 6 +Release: 7 Summary: The PKI Core Package License: GPLv2 and LGPLv2 URL: http://www.dogtagpki.org/ @@ -14,6 +14,7 @@ Patch1: 0001-Fix-URL-redirection-for-KRA-and-OCSP-web-UI-241.patch Patch2: remove-sslget-V-option.patch Patch3: remove-revoker-V-option.patch Patch4: CVE-2022-2414.patch +Patch5: CVE-2023-4727.patch BuildRequires: git make cmake >= 2.8.9-1 gcc-c++ zip java-1.8.0-openjdk-devel BuildRequires: ldapjdk >= 4.21.0 apache-commons-cli apache-commons-codec apache-commons-io @@ -440,6 +441,9 @@ fi %endif %changelog +* Sun Oct 13 2024 liningjie - 10.7.3-7 +- Fix CVE-2023-4727 + * Tue Oct 17 2023 Ge Wang - 10.7.3-6 - Fix EulerMaker build failure caused by build root difference -- Gitee