https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 https://jira.opendaylight.org/browse/AAA-151 aaa <p>#security-status: confirmed-leaked</p> <p> This issue has been confirmed as a security vulnerability in<br/> OpenDayLight AAA. Unfortunately the details of this flaw have been<br/> made public. Therefore it cannot be fixed under the OpenDaylight <br/> embargoed security vulnerability process. As this issue is now public <br/> it is important that the flaw is addressed in a timely manner. The <br/> OpenDaylight security team will ensure that a CVE is assigned for this issue.</p> <p>Vaibhav Hemant Dixit reported the following security vulnerability to the security mailing list:</p> <p>Severity : OPENDAYLIGHT AUTHENTICATION BREACHED</p> <p>Issue: After updating the password, the login is successful with both OLD and NEW passwords<br/> Controller: Distribution Version: distribution-karaf-0.6.1-Carbon.tar.gz</p> <p>Steps to reproduce:</p> <p> Start the controller.<br/> Install feature on Karaf: "feature:install odl-aaa-cli "<br/> Changed the admin password :<br/> _aaa:change-user-pwd -user admin<br/> Enter current password:<br/> Enter new password:<br/> admin's password has been changed_</p> <p>Observation:</p> <p> The admin user can authenticate using both OLD and NEW passwords.<br/> Execute a REST call with OLD and new password, the authentication is successful.<br/> If the controller is shutdown and restarted, the issue is not seen anymore.</p> AAA-151

Previous password continues to work after password change

Bug High Resolved Done Ryan Goulding Vaibhav Hemant Dixit Tue, 21 Nov 2017 16:53:15 +0000 Tue, 28 Nov 2017 18:22:01 +0000 Tue, 28 Nov 2017 18:22:01 +0000 Carbon-SR3 Nitrogen-SR1 General 0 3 <p>Proposed fix:</p> <p><a href="https://git.opendaylight.org/gerrit/#/q/topic:AAA-151" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/q/topic:AAA-151</a></p> <p>Affects CLI only; the REST endpoints do Claim cache invalidation already. Reboot works because the ClaimCache is force-flushed upon exit of the Java process. Although the CLI requires system access for (bin/client) or SSH access to the Karaf process, the effects are still bad because an admin expects that the old password should not work after he/she has changed it. He or she invokes the change-user-password Karaf CLI command expecting that the old credentials will no longer be accepted.</p> <p>Not sure how we want to handle this, but I'd imagine it involves CVE and proper documentation. The fixes will be merged to the affected branches (carbon, nitrogen &amp; master) as they pass jenkins-releng.</p> <p><del>Recommended Disclosure Dates</del></p> <p><del>Thursday 23/11 - Downstream Stakeholders</del></p> <p><del>Wednesday 29/11 - Go Public, open this JIRA and notify public mailing addresses.</del></p> <p><a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=rgoulding" class="user-hover" rel="rgoulding">rgoulding</a> et al, please verify the impact description:</p> <blockquote> <p>Title: Previous passwords remain active after a password change, when using the Karaf CLI.</p> <p>Reporters: <br/> Vaibhav Hemant Dixit, Arizona State University </p> <p>Affects: OpenDayLight AAA<br/> Versions: Carbon, Nitrogen</p> <p>Risk-assessment:<br/> impact-rating: Important</p> <p>Description:</p> <p>Vaibhav Hemant Dixit from Arizona State University reported a vulnerability<br/> in OpenDayLight AAA, whereby should a user update a password, the login is still successful with both OLD and NEW passwords. This is a result of how claimCache is flushed in AAA IDM when using the Karaf CLI. The issue is not present when using the AAA IDM REST API, as the handlers already invoke the clearing of the IdmLightProxy claimCache upon user update. A flush can be made by performing a reboot of Karaf or by applying the patches referenced in this advisory, as the patches enable the Karaf CLI to call IdmLightProxy claimCache and perform a flush every time a user changes a password.</p> <p>Versions Affected: Nitrogen &amp; Carbon</p></blockquote> <p>My apologies, I was out for the Holiday weekend.  This seems accurate to me.  Thanks for your help with this issue.</p> Cloners Development Rank 0|i038cf: