Bug 1793049

Summary: ipa: failure to invalidate session after password change
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abokovoy, carnil, fdc, frenaud, huzaifas, ipa-maint, jcholast, jhrozek, mkosek, pcech, prisingh, pvoborni, rcritten, rharwood, security-response-team, ssorce, tscherf, twoerner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-09 03:33:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1802405, 1802406    
Bug Blocks: 1781355    

Description Guilherme de Almeida Suckevicz 2020-01-20 14:57:24 UTC 
It was found that IPA fails to invalidate the session after changing the password. In this scenario, changing the password does not destroy other sessions connected with old passwords.
Comment 7 Huzaifa S. Sidhpurwala 2020-04-09 03:31:55 UTC 
Red Hat Product Security does not consider this as a security flaw.

Password changes aren't expected to invalidate existing sessions. Though this is how Kerberos behaves: incrementing kvno will not invalidate any existing service tickets.  This is not a concern because the lifetime on service tickets should be set appropriately (initially only a global, now also more finely configurable with the kdcpolicy plugin).  This belief is reinforced by our use of mod_session: existing sessions there aren't terminated, but instead wait for expiration.
Comment 8 Huzaifa S. Sidhpurwala 2020-04-09 03:31:59 UTC 
Acknowledgments:

Name: Pritam Singh (Red Hat)
Comment 10 Salvatore Bonaccorso 2020-06-03 18:29:35 UTC 
According to 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1703
the CVE has been withdrawn and REJECTED.

Can you remove the Alias to the CVE here then as well?
Comment 11 Yogendra Jog 2020-06-04 06:00:54 UTC 
In reply to comment #10:
> According to 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1703
> the CVE has been withdrawn and REJECTED.
> 
> Can you remove the Alias to the CVE here then as well?

Thank you for notifying.  Setting the need info on analyst that worked on this.

Regards
Yogendra.
Comment 12 Huzaifa S. Sidhpurwala 2020-06-04 06:23:10 UTC 
In reply to comment #10:
> According to 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1703
> the CVE has been withdrawn and REJECTED.
> 
> Can you remove the Alias to the CVE here then as well?

done, thanks for informing!