Date: Thu, 23 Nov 2017 21:05:31 +0000 From: Luke Hinds <lhinds@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Subject: OpenDayLight: Password change doesn't result in Karaf clearing cache, allowing old password to still be used (CVE-2017-1000406) This email is a notification of a vulnerability discovered in OpenDayLights AAA module. The current status of the vulnerability is open / public, so no embargo is currently active. opendaylight-advisory: Password change doesn't result in Karaf clearing cache, allowing old password to still be used) cve: CVE-2017-1000406 Vaibhav Hemant Dixit from Arizona State University reported a vulnerability in OpenDayLight AAA, whereby should a user update a password, the login is still successful with both OLD and NEW passwords. This is a result of how claimCache is flushed in AAA IDM when using the Karaf CLI. The issue is not present when using the AAA IDM REST API, as the handlers already invoke the clearing of the IdmLightProxy claimCache upon user update. A flush can be made by performing a reboot of Karaf or by applying the patches referenced in this advisory, as the patches enable the Karaf CLI to call IdmLightProxy claimCache and perform a flush every time a user changes a password. branch: master, nitrogen, carbon review: https://git.opendaylight.org/gerrit/#/q/topic:AAA-151 jira: https://jira.opendaylight.org/browse/AAA-151 release-notes: The fixes will be be available in the coming Nitrogen-SR1 and Carbon-SR3 releases. -- Luke Hinds OpenDaylight Security Team Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ