Uploaded image for project: 'aaa'
  1. aaa
  2. AAA-151

Previous password continues to work after password change

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: High
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: Carbon-SR3, Nitrogen-SR1
    • Component/s: General
    • Labels:
      None

      Description

      #security-status: confirmed-leaked

      This issue has been confirmed as a security vulnerability in
      OpenDayLight AAA. Unfortunately the details of this flaw have been
      made public. Therefore it cannot be fixed under the OpenDaylight
      embargoed security vulnerability process. As this issue is now public
      it is important that the flaw is addressed in a timely manner. The
      OpenDaylight security team will ensure that a CVE is assigned for this issue.

      Vaibhav Hemant Dixit reported the following security vulnerability to the security mailing list:

      Severity : OPENDAYLIGHT AUTHENTICATION BREACHED

      Issue: After updating the password, the login is successful with both OLD and NEW passwords
      Controller: Distribution Version: distribution-karaf-0.6.1-Carbon.tar.gz

      Steps to reproduce:

      Start the controller.
      Install feature on Karaf: "feature:install odl-aaa-cli "
      Changed the admin password :
      _aaa:change-user-pwd -user admin
      Enter current password:
      Enter new password:
      admin's password has been changed_

      Observation:

      The admin user can authenticate using both OLD and NEW passwords.
      Execute a REST call with OLD and new password, the authentication is successful.
      If the controller is shutdown and restarted, the issue is not seen anymore.

        Attachments

        # Subject Branch Project Status CR V

          Activity

            People

            Assignee:
            rgoulding Ryan Goulding
            Reporter:
            vhd Vaibhav Hemant Dixit
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: