Bug 1157955 - mod_auth_mellon: predictable session cookie in rare cases
Summary: mod_auth_mellon: predictable session cookie in rare cases
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1157958 1157959
Blocks: 1157286
TreeView+ depends on / blocked
 
Reported: 2014-10-28 06:09 UTC by Murray McAllister
Modified: 2021-02-17 06:03 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-11-04 01:37:12 UTC


Attachments (Terms of Use)

Description Murray McAllister 2014-10-28 06:09:56 UTC
It was reported that users could receive a predictable session cookie in some cases. This would typically only occur if the server was under very high memory pressure. This could be used to hijack another user's session.

Acknowledgements:

Red Hat would like to thank the mod_auth_mellon team for reporting this issue.

Comment 2 Murray McAllister 2014-11-04 01:35:33 UTC
CVE-2014-8566 is not the correct CVE for this issue. In fact, this issue did not receive a CVE, and is related to the following:

https://github.com/UNINETT/mod_auth_mellon/commit/47a767d5f37d1d3a1c004abbf8bb80d1b7eab328

http://jbp.io/2014/01/16/openssl-rand-api/#recommendations-and-patches

It was decided that this could not be used for an attack to force a predictable session cookie to be used.

Comment 3 Murray McAllister 2014-11-04 01:37:12 UTC
This bug may be fixed in a future, upstream mod_auth_mellon release. Closing for now.


Note You need to log in before you can comment on or make changes to this bug.