Re: [Pki-users] Possible PKI LDAP connections leak?

To clarify it is possible to DOS the Certificate System repeatedly calling /ca/rest/securityDomain/domainInfo url until Direcrory Server exhausts all available connections. $ rpm -qa 389* pki* | sort 389-ds-base-1.3.3.1-20.el7_1.x86_64 389-ds-base-libs-1.3.3.1-20.el7_1.x86_64 pki-base-10.2.6-7.el7.centos.noarch pki-ca-10.2.6-7.el7.centos.noarch pki-server-10.2.6-7.el7.centos.noarch pki-tools-10.2.6-7.el7.centos.x86_64 On Thu, Aug 27, 2015 at 6:15 PM, Aleksey Chudov <aleksey.chudov(a)gmail.com <mailto:aleksey.chudov@gmail.com>> wrote: Hi, I have found possible PKI LDAP connections leak on access to /ca/rest/securityDomain/domainInfo url. To reproduce # ss -ant state established sport = :636 Recv-Q Send-Q Local Address:Port Peer Address:Port 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57696 <http://10.172.3.13:57696> 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57692 <http://10.172.3.13:57692> 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57695 <http://10.172.3.13:57695> 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57690 <http://10.172.3.13:57690> 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57689 <http://10.172.3.13:57689> 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57693 <http://10.172.3.13:57693> 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57688 <http://10.172.3.13:57688> 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57691 <http://10.172.3.13:57691> 0 0 10.172.3.13:636 <http://10.172.3.13:636> 10.172.3.13:57687 <http://10.172.3.13:57687> # ss -ant state established sport = :636 | wc -l 10 # for ((i=0; i<256; i++)); do curl http://localhost/ca/rest/securityDomain/domainInfo &>/dev/null; done # ss -ant state established sport = :636 | wc -l 266 Every request to /ca/rest/securityDomain/domainInfo url increases number on LDAP connections and produces the same message in debug log [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SessionContextInterceptor: Not authenticated. [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: SecurityDomainResource.getDomainInfo() [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: mapping: default [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: required auth methods: [*] [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: anonymous access allowed [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor: SecurityDomainResource.getDomainInfo() [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor.filter: no authorization required [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor: No ACL mapping; authz not required. [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SecurityDomainResource.getDomainInfo] authorization success [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: SecurityDomainResource.getDomainInfo() [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: content-type: null [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: accept: [*/*] [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: response format: application/xml [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}. [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Creating LdapBoundConnFactor(SecurityDomainProcessor) [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapBoundConnFactory: init [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapBoundConnFactory:doCloning true [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init() [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init begins [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: prompt is internaldb [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: try getting from memory cache [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: got password from memory [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: password found for prompt. [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: password ok: store in memory cache [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init ends [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: init: before makeConnection errorIfDown is false [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: makeConnection: errorIfDown false [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SSL handshake happened [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Established LDAP connection using basic authentication to host srv334.example.com <http://srv334.example.com> port 636 as cn=Directory Manager [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: initializing with mininum 3 and maximum 15 connections to host srv334.example.com <http://srv334.example.com> port 636, secure connection, true, authentication type 1 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: increasing minimum connections by 3 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new total available connections 3 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new number of connections 3 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: In LdapBoundConnFactory::getConn() [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: masterConn is connected: true [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: conn is connected true [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: mNumConns now 2 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: name: Company LLC [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: CA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn=srv333.example.com:8443 <http://srv333.example.com:8443>,cn=CAList,ou=Security Domain,o=pki-tomcat-CA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - DomainManager: TRUE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn: srv333.example.com:8443 <http://srv333.example.com:8443> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SubsystemName: CA srv333.example.com <http://srv333.example.com> 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - Clone: FALSE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - UnSecurePort: 8080 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureEEClientAuthPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAdminPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAgentPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecurePort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - host: srv333.example.com <http://srv333.example.com> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - objectClass: top [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn=srv334.example.com:8443 <http://srv334.example.com:8443>,cn=CAList,ou=Security Domain,o=pki-tomcat-CA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - objectClass: top [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn: srv334.example.com:8443 <http://srv334.example.com:8443> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - host: srv334.example.com <http://srv334.example.com> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecurePort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAgentPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAdminPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - UnSecurePort: 8080 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureEEClientAuthPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - DomainManager: TRUE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - Clone: TRUE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SubsystemName: CA srv334.example.com <http://srv334.example.com> 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn=srv335.example.com:8443 <http://srv335.example.com:8443>,cn=CAList,ou=Security Domain,o=pki-tomcat-CA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - objectClass: top [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - cn: srv335.example.com:8443 <http://srv335.example.com:8443> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - host: srv335.example.com <http://srv335.example.com> [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecurePort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAgentPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureAdminPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - UnSecurePort: 8080 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SecureEEClientAuthPort: 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - DomainManager: TRUE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - Clone: TRUE [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: - SubsystemName: CA srv335.example.com <http://srv335.example.com> 8443 [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: OCSP [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: KRA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: RA [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: TKS [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: TPS [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Releasing ldap connection [27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: returnConn: mNumConns now 3 At the same time requests to different urls does not increase the number of established LDAP connections. Is it a bug or expected behavior? Aleksey _______________________________________________ Pki-users mailing list Pki-users(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-users