1157955 – mod_auth_mellon: predictable session cookie in rare cases

Bug 1157955 - mod_auth_mellon: predictable session cookie in rare cases

Summary: mod_auth_mellon: predictable session cookie in rare cases

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1157958 1157959
Blocks:	1157286
TreeView+	depends on / blocked

Reported:	2014-10-28 06:09 UTC by Murray McAllister
Modified:	2021-02-17 06:03 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-11-04 01:37:12 UTC
Embargoed:

Attachments	(Terms of Use)

Description Murray McAllister 2014-10-28 06:09:56 UTC

It was reported that users could receive a predictable session cookie in some cases. This would typically only occur if the server was under very high memory pressure. This could be used to hijack another user's session.

Acknowledgements:

Red Hat would like to thank the mod_auth_mellon team for reporting this issue.

Comment 2 Murray McAllister 2014-11-04 01:35:33 UTC

CVE-2014-8566 is not the correct CVE for this issue. In fact, this issue did not receive a CVE, and is related to the following:

https://github.com/UNINETT/mod_auth_mellon/commit/47a767d5f37d1d3a1c004abbf8bb80d1b7eab328

http://jbp.io/2014/01/16/openssl-rand-api/#recommendations-and-patches

It was decided that this could not be used for an attack to force a predictable session cookie to be used.

Comment 3 Murray McAllister 2014-11-04 01:37:12 UTC

This bug may be fixed in a future, upstream mod_auth_mellon release. Closing for now.

Note You need to log in before you can comment on or make changes to this bug.