oss-sec mailing list archives
OpenDayLight: Password change doesn't result in Karaf clearing cache, allowing old password to still be used (CVE-2017-1000406)
From: Luke Hinds <lhinds () redhat com>
Date: Thu, 23 Nov 2017 21:05:31 +0000
This email is a notification of a vulnerability discovered in OpenDayLights AAA module. The current status of the vulnerability is open / public, so no embargo is currently active. opendaylight-advisory: Password change doesn't result in Karaf clearing cache, allowing old password to still be used) cve: CVE-2017-1000406 Vaibhav Hemant Dixit from Arizona State University reported a vulnerability in OpenDayLight AAA, whereby should a user update a password, the login is still successful with both OLD and NEW passwords. This is a result of how claimCache is flushed in AAA IDM when using the Karaf CLI. The issue is not present when using the AAA IDM REST API, as the handlers already invoke the clearing of the IdmLightProxy claimCache upon user update. A flush can be made by performing a reboot of Karaf or by applying the patches referenced in this advisory, as the patches enable the Karaf CLI to call IdmLightProxy claimCache and perform a flush every time a user changes a password. branch: master, nitrogen, carbon review: https://git.opendaylight.org/gerrit/#/q/topic:AAA-151 jira: https://jira.opendaylight.org/browse/AAA-151 release-notes: The fixes will be be available in the coming Nitrogen-SR1 and Carbon-SR3 releases. -- Luke Hinds OpenDaylight Security Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- OpenDayLight: Password change doesn't result in Karaf clearing cache, allowing old password to still be used (CVE-2017-1000406) Luke Hinds (Nov 23)