Bug 1157955

Summary: mod_auth_mellon: predictable session cookie in rare cases
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jrusnack, security-response-team, ssorce, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-04 01:37:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1157958, 1157959    
Bug Blocks: 1157286    

Description Murray McAllister 2014-10-28 06:09:56 UTC 
It was reported that users could receive a predictable session cookie in some cases. This would typically only occur if the server was under very high memory pressure. This could be used to hijack another user's session.

Acknowledgements:

Red Hat would like to thank the mod_auth_mellon team for reporting this issue.
Comment 2 Murray McAllister 2014-11-04 01:35:33 UTC 
CVE-2014-8566 is not the correct CVE for this issue. In fact, this issue did not receive a CVE, and is related to the following:

https://github.com/UNINETT/mod_auth_mellon/commit/47a767d5f37d1d3a1c004abbf8bb80d1b7eab328

http://jbp.io/2014/01/16/openssl-rand-api/#recommendations-and-patches

It was decided that this could not be used for an attack to force a predictable session cookie to be used.
Comment 3 Murray McAllister 2014-11-04 01:37:12 UTC 
This bug may be fixed in a future, upstream mod_auth_mellon release. Closing for now.