Bug 2232218 (CVE-2023-4727)

Summary: CVE-2023-4727 dogtag ca: token authentication bypass vulnerability
Product: [Other] Security Response Reporter: Zack Miele <zmiele>
Component: vulnerabilityAssignee: Endi Sukma Dewata <edewata>
Status: POST --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aakkiang, cfu, ckelley, dsirrine, edewata, fdelehay, gkimetto, jmagne, jwest, mfargett, mharmsen, mulliken, prisingh, psampaio, rhcs-maint, security-response-team, skhandel, taherrin, teagle
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in dogtag-pki and pki-core. The token authentication scheme can be bypassed with a LDAP injection. By passing the query string parameter sessionID=*, an attacker can authenticate with an existing session saved in the LDAP directory server, which may lead to escalation of privilege.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2268351, 2232221, 2232222, 2232223, 2232281    
Bug Blocks: 2232220    

Description Zack Miele 2023-08-15 19:32:41 UTC 
The token authentication scheme in Dogtag CA can be bypassed with a Ldap injection.
By passing the query string parameter sessionID=*, an attacker can authenticate with
the existing session saved in Ldap directory server.
Comment 33 Pedro Sampaio 2024-01-05 17:04:57 UTC 
This is ready to unembargo from our side.

Endi, please confirm if your team is able to view the tracker bugs and prepare Erratas?

Thank you.
Comment 51 Endi Sukma Dewata 2024-06-17 23:55:23 UTC 
Fixed upstream:
* master branch: https://github.com/dogtagpki/pki/commit/aa7161ba378caf5cf0471aafb679a842679c8388
* v11.5 branch: https://github.com/dogtagpki/pki/commit/54e5b3c5932ad634b5ddf5b1d4d88c9419d6f720
Comment 53 errata-xmlrpc 2024-06-23 22:46:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:4051 https://access.redhat.com/errata/RHSA-2024:4051
Comment 54 errata-xmlrpc 2024-06-27 14:09:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:4164 https://access.redhat.com/errata/RHSA-2024:4164
Comment 55 errata-xmlrpc 2024-06-27 14:29:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4165 https://access.redhat.com/errata/RHSA-2024:4165