To clarify it is possible to DOS the Certificate System repeatedly calling /ca/rest/securityDomain/domainInfo url until Direcrory Server exhausts all available connections.


$ rpm -qa 389* pki* | sort
389-ds-base-1.3.3.1-20.el7_1.x86_64
389-ds-base-libs-1.3.3.1-20.el7_1.x86_64
pki-base-10.2.6-7.el7.centos.noarch
pki-ca-10.2.6-7.el7.centos.noarch
pki-server-10.2.6-7.el7.centos.noarch
pki-tools-10.2.6-7.el7.centos.x86_64


On Thu, Aug 27, 2015 at 6:15 PM, Aleksey Chudov <aleksey.chudov@gmail.com> wrote:
Hi,

I have found possible PKI LDAP connections leak on access to /ca/rest/securityDomain/domainInfo url.

To reproduce

# ss -ant state established sport = :636
Recv-Q Send-Q    Local Address:Port      Peer Address:Port
0      0           10.172.3.13:636        10.172.3.13:57696
0      0           10.172.3.13:636        10.172.3.13:57692
0      0           10.172.3.13:636        10.172.3.13:57695
0      0           10.172.3.13:636        10.172.3.13:57690
0      0           10.172.3.13:636        10.172.3.13:57689
0      0           10.172.3.13:636        10.172.3.13:57693
0      0           10.172.3.13:636        10.172.3.13:57688
0      0           10.172.3.13:636        10.172.3.13:57691
0      0           10.172.3.13:636        10.172.3.13:57687

# ss -ant state established sport = :636 | wc -l
10

# for ((i=0; i<256; i++)); do curl http://localhost/ca/rest/securityDomain/domainInfo &>/dev/null; done

# ss -ant state established sport = :636 | wc -l
266

Every request to /ca/rest/securityDomain/domainInfo url increases number on LDAP connections and produces the same message in debug log

[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SessionContextInterceptor: Not authenticated.
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: SecurityDomainResource.getDomainInfo()
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: mapping: default
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: required auth methods: [*]
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: AuthMethodInterceptor: anonymous access allowed
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor: SecurityDomainResource.getDomainInfo()
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor.filter: no authorization required
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: ACLInterceptor: No ACL mapping; authz not required.
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SecurityDomainResource.getDomainInfo] authorization success
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: SecurityDomainResource.getDomainInfo()
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: content-type: null
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: accept: [*/*]
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: MessageFormatInterceptor: response format: application/xml
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: according to ccMode, authorization for servlet: securitydomain is LDAP based, not XML {1}, use default authz mgr: {2}.
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Creating LdapBoundConnFactor(SecurityDomainProcessor)
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapBoundConnFactory: init
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapBoundConnFactory:doCloning true
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init()
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init begins
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: prompt is internaldb
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: try getting from memory cache
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: got password from memory
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init: password found for prompt.
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: password ok: store in memory cache
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: LdapAuthInfo: init ends
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: init: before makeConnection errorIfDown is false
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: makeConnection: errorIfDown false
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SSL handshake happened
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Established LDAP connection using basic authentication to host srv334.example.com port 636 as cn=Directory Manager
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: initializing with mininum 3 and maximum 15 connections to host srv334.example.com port 636, secure connection, true, authentication type 1
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: increasing minimum connections by 3
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new total available connections 3
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: new number of connections 3
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: In LdapBoundConnFactory::getConn()
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: masterConn is connected: true
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: conn is connected true
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: getConn: mNumConns now 2
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: name: Company LLC
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: CA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:  - cn=srv333.example.com:8443,cn=CAList,ou=Security Domain,o=pki-tomcat-CA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - DomainManager: TRUE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - cn: srv333.example.com:8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SubsystemName: CA srv333.example.com 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - Clone: FALSE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - UnSecurePort: 8080
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureEEClientAuthPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAdminPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAgentPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecurePort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - host: srv333.example.com
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - objectClass: top
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:  - cn=srv334.example.com:8443,cn=CAList,ou=Security Domain,o=pki-tomcat-CA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - objectClass: top
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - cn: srv334.example.com:8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - host: srv334.example.com
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecurePort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAgentPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAdminPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - UnSecurePort: 8080
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureEEClientAuthPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - DomainManager: TRUE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - Clone: TRUE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SubsystemName: CA srv334.example.com 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:  - cn=srv335.example.com:8443,cn=CAList,ou=Security Domain,o=pki-tomcat-CA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - objectClass: top
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - cn: srv335.example.com:8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - host: srv335.example.com
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecurePort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAgentPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureAdminPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - UnSecurePort: 8080
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SecureEEClientAuthPort: 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - DomainManager: TRUE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - Clone: TRUE
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor:    - SubsystemName: CA srv335.example.com 8443
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: OCSP
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: KRA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: RA
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: TKS
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: SecurityDomainProcessor: subtype: TPS
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: Releasing ldap connection
[27/Aug/2015:18:04:00][ajp-bio-127.0.0.1-8009-exec-6]: returnConn: mNumConns now 3


At the same time requests to different urls does not increase the number of established LDAP connections.

Is it a bug or expected behavior?

Aleksey