-
Notifications
You must be signed in to change notification settings - Fork 235
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ad-gpo: use hash to store intermediate results (fixes CVE-2023-3758) #7302
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alexey-tikhonov
approved these changes
Apr 17, 2024
Currently after the evaluation of a single GPO file the intermediate results are stored in the cache and this cache entry is updated until all applicable GPO files are evaluated. Finally the data in the cache is used to make the decision of access is granted or rejected. If there are two or more access-control request running in parallel one request might overwrite the cache object with intermediate data while another request reads the cached data for the access decision and as a result will do this decision based on intermediate data. To avoid this the intermediate results are not stored in the cache anymore but in hash tables which are specific to the request. Only the final result is written to the cache to have it available for offline authentication.
057122e
to
4fc3875
Compare
thalman
approved these changes
Apr 18, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, ACK
|
CVE-2023-3758 seems to be assigned to this issue. |
That's correct. |
gerrit-photon
pushed a commit
to vmware/photon
that referenced
this pull request
Apr 25, 2024
Ref: SSSD/sssd#7302 Change-Id: I3fe67b4a7092bdc332e2ecf590b7d8f48b81207f Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/c/photon/+/23799 Tested-by: gerrit-photon <photon-checkins@vmware.com> Reviewed-by: Shreenidhi Shedi <shreenidhi.shedi@broadcom.com>
gerrit-photon
pushed a commit
to vmware/photon
that referenced
this pull request
Apr 25, 2024
Ref: SSSD/sssd#7302 Change-Id: I601639776d99c490554036a73888a4a4f0b6a0d5 Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/c/photon/+/23801 Reviewed-by: Shreenidhi Shedi <shreenidhi.shedi@broadcom.com> Tested-by: gerrit-photon <photon-checkins@vmware.com>
gerrit-photon
pushed a commit
to vmware/photon
that referenced
this pull request
Apr 26, 2024
Ref: SSSD/sssd#7302 Change-Id: I4064c58cda61b9ef703b81d610582dd52e35a51c Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/c/photon/+/23800 Tested-by: Michelle Wang <michelle.wang@broadcom.com> Reviewed-by: Shreenidhi Shedi <shreenidhi.shedi@broadcom.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently after the evaluation of a single GPO file the intermediate
results are stored in the cache and this cache entry is updated until
all applicable GPO files are evaluated. Finally the data in the cache is
used to make the decision of access is granted or rejected.
If there are two or more access-control request running in parallel one
request might overwrite the cache object with intermediate data while
another request reads the cached data for the access decision and as a
result will do this decision based on intermediate data.
To avoid this the intermediate results are not stored in the cache
anymore but in hash tables which are specific to the request. Only the
final result is written to the cache to have it available for offline
authentication.