<div dir="ltr">To <span tabindex="-1" id="result_box" class="" lang="en"><span class="">clarify i</span></span><span tabindex="-1" id="result_box" class="" lang="en"><span class="">t is possible to DOS the Certificate System repeatedly calling /ca/rest/securityDomain/domainInfo url until Direcrory Server <span tabindex="-1" id="result_box" class="" lang="en"><span class="">exhausts </span></span>all available connections.<br><br><br>$ rpm -qa 389* pki* | sort<br>389-ds-base-1.3.3.1-20.el7_1.x86_64<br>389-ds-base-libs-1.3.3.1-20.el7_1.x86_64<br>pki-base-10.2.6-7.el7.centos.noarch<br>pki-ca-10.2.6-7.el7.centos.noarch<br>pki-server-10.2.6-7.el7.centos.noarch<br>pki-tools-10.2.6-7.el7.centos.x86_64<br><br></span></span><div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 27, 2015 at 6:15 PM, Aleksey Chudov <span dir="ltr"><<a href="mailto:aleksey.chudov@gmail.com" target="_blank">aleksey.chudov@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi,<br><br>I have found possible PKI LDAP connections leak on access to /ca/rest/securityDomain/domainInfo url.<br><br></div><div>To reproduce<br></div><div><br># ss -ant state established sport = :636<br>Recv-Q Send-Q    Local Address:Port      Peer Address:Port <br>0      0           <a href="http://10.172.3.13:636" target="_blank">10.172.3.13:636</a>        <a href="http://10.172.3.13:57696" target="_blank">10.172.3.13:57696</a> <br>0      0           <a href="http://10.172.3.13:636" target="_blank">10.172.3.13:636</a>        <a href="http://10.172.3.13:57692" target="_blank">10.172.3.13:57692</a> <br>0      0           <a href="http://10.172.3.13:636" target="_blank">10.172.3.13:636</a>        <a href="http://10.172.3.13:57695" target="_blank">10.172.3.13:57695</a> <br>0      0           <a href="http://10.172.3.13:636" target="_blank">10.172.3.13:636</a>        <a href="http://10.172.3.13:57690" target="_blank">10.172.3.13:57690</a> <br>0      0           <a href="http://10.172.3.13:636" target="_blank">10.172.3.13:636</a>        <a href="http://10.172.3.13:57689" target="_blank">10.172.3.13:57689</a> <br>0      0           <a href="http://10.172.3.13:636" target="_blank">10.172.3.13:636</a>        <a href="http://10.172.3.13:57693" target="_blank">10.172.3.13:57693</a> <br>0      0           <a href="http://10.172.3.13:636" target="_blank">10.172.3.13:636</a>        <a href="http://10.172.3.13:57688" target="_blank">10.172.3.13:57688</a> <br>0      0           <a href="http://10.172.3.13:636" target="_blank">10.172.3.13:636</a>        <a href="http://10.172.3.13:57691" target="_blank">10.172.3.13:57691</a> <br>0      0           <a href="http://10.172.3.13:636" target="_blank">10.172.3.13:636</a>        <a href="http://10.172.3.13:57687" target="_blank">10.172.3.13:57687</a> <br><br># ss -ant state established sport = :636 | wc -l<br>10<br><br># for ((i=0; i<256; i++)); do curl <a href="http://localhost/ca/rest/securityDomain/domainInfo" target="_blank">http://localhost/ca/rest/securityDomain/domainInfo</a> &>/dev/null; done<br><br># ss -ant state established sport = :636 | wc -l<br>266<br><br></div><div>Every request to /ca/rest/securityDomain/domainInfo url increases number on LDAP connections and produces the same message in debug log<br><br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SessionContextInterceptor: Not authenticated.<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: SecurityDomainResource.getDomainInfo()<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: mapping: default<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: required auth methods: [*]<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: anonymous access allowed<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor: SecurityDomainResource.getDomainInfo()<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor.filter: no authorization required<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor: No ACL mapping; authz not required.<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SecurityDomainResource.getDomainInfo] authorization success<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: SecurityDomainResource.getDomainInfo()<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: content-type: null<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: accept: [*/*]<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: response format: application/xml<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}.<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Creating LdapBoundConnFactor(SecurityDomainProcessor)<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapBoundConnFactory: init <br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapBoundConnFactory:doCloning true<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init()<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init begins<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: prompt is internaldb<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: try getting from memory cache<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: got password from memory<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: password found for prompt.<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: password ok: store in memory cache<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init ends<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: init: before makeConnection errorIfDown is false<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: makeConnection: errorIfDown false<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SSL handshake happened<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Established LDAP connection using basic authentication to host <a href="http://srv334.example.com" target="_blank">srv334.example.com</a> port 636 as cn=Directory Manager<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: initializing with mininum 3 and maximum 15 connections to host <a href="http://srv334.example.com" target="_blank">srv334.example.com</a> port 636, secure connection, true, authentication type 1<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: increasing minimum connections by 3<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new total available connections 3<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new number of connections 3<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: In LdapBoundConnFactory::getConn()<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: masterConn is connected: true<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: conn is connected true<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: mNumConns now 2<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: name: Company LLC<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: CA<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:  - cn=<a href="http://srv333.example.com:8443" target="_blank">srv333.example.com:8443</a>,cn=CAList,ou=Security Domain,o=pki-tomcat-CA<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - DomainManager: TRUE<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - cn: <a href="http://srv333.example.com:8443" target="_blank">srv333.example.com:8443</a><br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SubsystemName: CA <a href="http://srv333.example.com" target="_blank">srv333.example.com</a> 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - Clone: FALSE<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - UnSecurePort: 8080<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureEEClientAuthPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAdminPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAgentPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecurePort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - host: <a href="http://srv333.example.com" target="_blank">srv333.example.com</a><br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - objectClass: top<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:  - cn=<a href="http://srv334.example.com:8443" target="_blank">srv334.example.com:8443</a>,cn=CAList,ou=Security Domain,o=pki-tomcat-CA<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - objectClass: top<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - cn: <a href="http://srv334.example.com:8443" target="_blank">srv334.example.com:8443</a><br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - host: <a href="http://srv334.example.com" target="_blank">srv334.example.com</a><br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecurePort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAgentPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAdminPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - UnSecurePort: 8080<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureEEClientAuthPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - DomainManager: TRUE<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - Clone: TRUE<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SubsystemName: CA <a href="http://srv334.example.com" target="_blank">srv334.example.com</a> 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:  - cn=<a href="http://srv335.example.com:8443" target="_blank">srv335.example.com:8443</a>,cn=CAList,ou=Security Domain,o=pki-tomcat-CA<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - objectClass: top<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - cn: <a href="http://srv335.example.com:8443" target="_blank">srv335.example.com:8443</a><br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - host: <a href="http://srv335.example.com" target="_blank">srv335.example.com</a><br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecurePort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAgentPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAdminPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - UnSecurePort: 8080<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureEEClientAuthPort: 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - DomainManager: TRUE<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - Clone: TRUE<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SubsystemName: CA <a href="http://srv335.example.com" target="_blank">srv335.example.com</a> 8443<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: OCSP<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: KRA<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: RA<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: TKS<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: TPS<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Releasing ldap connection<br>[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: returnConn: mNumConns now 3<br></div><div><br><br></div><div>At the same time requests to different urls does not increase the number of established LDAP connections.<br></div><div><br></div><div>Is it a bug or expected behavior?<span class=""><font color="#888888"><br></font></span></div><span class=""><font color="#888888"><div><br></div>Aleksey<br></font></span></div>
</blockquote></div><br></div></div></div>