[Pki-users] Possible PKI LDAP connections leak?
Aleksey Chudov
aleksey.chudov at gmail.com
Fri Aug 28 19:21:21 UTC 2015
To clarify it is possible to DOS the Certificate System repeatedly calling
/ca/rest/securityDomain/domainInfo url until Direcrory Server exhausts all
available connections.
$ rpm -qa 389* pki* | sort
389-ds-base-1.3.3.1-20.el7_1.x86_64
389-ds-base-libs-1.3.3.1-20.el7_1.x86_64
pki-base-10.2.6-7.el7.centos.noarch
pki-ca-10.2.6-7.el7.centos.noarch
pki-server-10.2.6-7.el7.centos.noarch
pki-tools-10.2.6-7.el7.centos.x86_64
On Thu, Aug 27, 2015 at 6:15 PM, Aleksey Chudov <aleksey.chudov at gmail.com>
wrote:
> Hi,
>
> I have found possible PKI LDAP connections leak on access to
> /ca/rest/securityDomain/domainInfo url.
>
> To reproduce
>
> # ss -ant state established sport = :636
> Recv-Q Send-Q Local Address:Port Peer Address:Port
> 0 0 10.172.3.13:636 10.172.3.13:57696
> 0 0 10.172.3.13:636 10.172.3.13:57692
> 0 0 10.172.3.13:636 10.172.3.13:57695
> 0 0 10.172.3.13:636 10.172.3.13:57690
> 0 0 10.172.3.13:636 10.172.3.13:57689
> 0 0 10.172.3.13:636 10.172.3.13:57693
> 0 0 10.172.3.13:636 10.172.3.13:57688
> 0 0 10.172.3.13:636 10.172.3.13:57691
> 0 0 10.172.3.13:636 10.172.3.13:57687
>
> # ss -ant state established sport = :636 | wc -l
> 10
>
> # for ((i=0; i<256; i++)); do curl
> http://localhost/ca/rest/securityDomain/domainInfo &>/dev/null; done
>
> # ss -ant state established sport = :636 | wc -l
> 266
>
> Every request to /ca/rest/securityDomain/domainInfo url increases number
> on LDAP connections and produces the same message in debug log
>
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SessionContextInterceptor: Not authenticated.
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> AuthMethodInterceptor: SecurityDomainResource.getDomainInfo()
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> AuthMethodInterceptor: mapping: default
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> AuthMethodInterceptor: required auth methods: [*]
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> AuthMethodInterceptor: anonymous access allowed
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor:
> SecurityDomainResource.getDomainInfo()
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> ACLInterceptor.filter: no authorization required
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor: No
> ACL mapping; authz not required.
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SignedAuditEventFactory: create()
> message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL
> mapping not found; OK:SecurityDomainResource.getDomainInfo] authorization
> success
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> MessageFormatInterceptor: SecurityDomainResource.getDomainInfo()
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> MessageFormatInterceptor: content-type: null
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> MessageFormatInterceptor: accept: [*/*]
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> MessageFormatInterceptor: response format: application/xml
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: according to
> ccMode, authorization for servlet: securitydomain is LDAP based, not XML
> {1}, use default authz mgr: {2}.
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Creating
> LdapBoundConnFactor(SecurityDomainProcessor)
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> LdapBoundConnFactory: init
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> LdapBoundConnFactory:doCloning true
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init()
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init
> begins
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init:
> prompt is internaldb
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init:
> try getting from memory cache
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init:
> got password from memory
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init:
> password found for prompt.
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo:
> password ok: store in memory cache
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init
> ends
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: init: before
> makeConnection errorIfDown is false
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: makeConnection:
> errorIfDown false
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SSL handshake
> happened
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Established LDAP
> connection using basic authentication to host srv334.example.com port 636
> as cn=Directory Manager
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: initializing with
> mininum 3 and maximum 15 connections to host srv334.example.com port 636,
> secure connection, true, authentication type 1
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: increasing minimum
> connections by 3
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new total available
> connections 3
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new number of
> connections 3
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: In
> LdapBoundConnFactory::getConn()
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: masterConn is
> connected: true
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: conn is
> connected true
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: mNumConns
> now 2
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: name: Company LLC
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: subtype: CA
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - cn=srv333.example.com:8443,cn=CAList,ou=Security
> Domain,o=pki-tomcat-CA
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - DomainManager: TRUE
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - cn: srv333.example.com:8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SubsystemName: CA srv333.example.com 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - Clone: FALSE
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - UnSecurePort: 8080
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureEEClientAuthPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureAdminPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureAgentPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecurePort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - host: srv333.example.com
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - objectClass: top
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - cn=srv334.example.com:8443,cn=CAList,ou=Security
> Domain,o=pki-tomcat-CA
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - objectClass: top
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - cn: srv334.example.com:8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - host: srv334.example.com
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecurePort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureAgentPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureAdminPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - UnSecurePort: 8080
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureEEClientAuthPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - DomainManager: TRUE
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - Clone: TRUE
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SubsystemName: CA srv334.example.com 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - cn=srv335.example.com:8443,cn=CAList,ou=Security
> Domain,o=pki-tomcat-CA
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - objectClass: top
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - cn: srv335.example.com:8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - host: srv335.example.com
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecurePort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureAgentPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureAdminPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - UnSecurePort: 8080
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SecureEEClientAuthPort: 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - DomainManager: TRUE
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - Clone: TRUE
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: - SubsystemName: CA srv335.example.com 8443
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: subtype: OCSP
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: subtype: KRA
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: subtype: RA
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: subtype: TKS
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]:
> SecurityDomainProcessor: subtype: TPS
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Releasing ldap
> connection
> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: returnConn:
> mNumConns now 3
>
>
> At the same time requests to different urls does not increase the number
> of established LDAP connections.
>
> Is it a bug or expected behavior?
>
> Aleksey
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150828/74ea7a5d/attachment.htm>
More information about the Pki-users
mailing list