ca3s is a CA system with a flexible RA part based on BPM aiming to automate as much as possible. Therefore providing ACME and SCEP interfaces in addition to the usual web form. Aggregating certificate sets from different sources and using CMP-connected CAs or ADCS instances for certificate creation. The ca3s core server is based on spring boot 2.x and jHipster
European Union Public License 1.2
8
stars
3
forks
source link
fix(deps): update dependency dnsjava:dnsjava to v3.6.0 [security] - autoclosed #522
Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones.
Details
DNS Messages are not authenticated. They do not guarantee that
received RRs are authentic
not received RRs do not exist
all or any received records in a response relate to the request
Applications utilizing DNSSEC generally expect these guarantees to be met, however DNSSEC by itself only guarantees the first two.
To meet the third guarantee, resolvers generally follow an (undocumented, as far as RFCs go) algorithm such as: (simplified, e.g. lacks DNSSEC validation!)
denote by QNAME the name you are querying (e.g. fraunhofer.de.), and initialize a list of aliases
if the ANSWER section contains a valid PTR RRSet for QNAME, return it (and optionally return the list of aliases as well)
if the ANSWER section contains a valid CNAME RRSet for QNAME, add it to the list of aliases. Set QNAME to the CNAME's target and go to 2.
Verify that QNAME does not have any PTR, CNAME and DNAME records using valid NSEC or NSEC3 records. Return null.
Note that this algorithm relies on NSEC records and thus requires a considerable portion of the DNSSEC specifications to be implemented. For this reason, it cannot be performed by a DNS client (aka application) and is typically performed as part of the resolver logic.
dnsjava does not implement a comparable algorithm, and the provided APIs instead return either
the received DNS message itself (e.g. when using a ValidatingResolver such as in this example), or
essentially just the contents of its ANSWER section (e.g. when using a LookupSession such as in this example)
If applications blindly filter the received results for RRs of the desired record type (as seems to be typical usage for dnsjava), a rogue recursive resolver or (on UDP/TCP connections) a network attacker can
In addition to the actual DNS response, add RRs irrelevant to the query but of the right datatype, e.g. from another zone, as long as that zone is correctly using DNSSEC, or
completely exchange the relevant response records
Impact
DNS(SEC) libraries are usually used as part of a larger security framework.
Therefore, the main misuses of this vulnerability concern application code, which might take the returned records as authentic answers to the request.
Here are three concrete examples of where this might be detrimental:
RFC 6186 specifies that to connect to an IMAP server for a user, a mail user agent should retrieve certain SRV records and send the user's credentials to the specified servers. Exchanging the SRV records can be a tool to redirect the credentials.
When delivering mail via SMTP, MX records determine where to deliver the mails to. Exchanging the MX records might lead to information disclosure. Additionally, an exchange of TLSA records might allow attackers to intercept TLS traffic.
Some research projects like LIGHTest are trying to manage CA trust stores via URI and SMIMEA records in the DNS. Exchanging these allows manipulating the root of trust for dependent applications.
Mitigations
At this point, the following mitigations are recommended:
When using a ValidatingResolver, ignore any Server indications of whether or not data was available (e.g. NXDOMAIN, NODATA, ...).
For APIs returning RRs from DNS responses, filter the RRs using an algorithm such as the one above. This includes e.g. LookupSession.lookupAsync.
Remove APIs dealing with raw DNS messages from the examples section or place a noticable warning above.
dnsjava/dnsjava (dnsjava:dnsjava)
### [`v3.6.0`](https://togithub.com/dnsjava/dnsjava/releases/tag/v3.6.0)
[Compare Source](https://togithub.com/dnsjava/dnsjava/compare/v3.5.3...v3.6.0)
- Fix CVE-2024-25638 (GHSA-cfxw-4h78-h7fw)
Lookup and LookupSession do not sanitize input properly, allowing to smuggle additional responses, even with DNSSEC. I would like to thank Thomas Bellebaum from Fraunhofer AISEC ([@bellebaum](https://togithub.com/bellebaum)) and Martin Schanzenbach ([@schanzen](https://togithub.com/schanzen)) for reporting and assisting me with this issue.
- Fix CVE-2023-50387 (GHSA-crjg-w57m-rqqf)
Denial-of-Service Algorithmic Complexity Attacks (KeyTrap)
- Fix CVE-2023-50868 (GHSA-mmwx-rj87-vfgr)
NSEC3 closest encloser proof can exhaust CPU resources (KeyTrap)
- Fix running all DNSSEC on the specified executor
- Add new DNSSEC algorithm constants for SM2SM3 and ECC-GOST12
- Add A/AAAA record constructor with IP address byte array
- Validate DS record digest lengths ([#250](https://togithub.com/dnsjava/dnsjava/issues/250))
- Fix NPE in SimpleResolver on invalid responses ([#277](https://togithub.com/dnsjava/dnsjava/issues/277))
- Add support for JEP 418: Internet-Address Resolution SPI ([#290](https://togithub.com/dnsjava/dnsjava/issues/290))
- Full JPMS support ([#246](https://togithub.com/dnsjava/dnsjava/issues/246))
- Pluggable I/O for SimpleResolver
([@chrisruffalo](https://togithub.com/chrisruffalo), [#253](https://togithub.com/dnsjava/dnsjava/issues/253))
- UDP port leak in SimpleResolver ([#318](https://togithub.com/dnsjava/dnsjava/issues/318))
- Fix clean shutdown in app containers when never used ([#319](https://togithub.com/dnsjava/dnsjava/issues/319))
- Fix concurrency issue in I/O clients ([#315](https://togithub.com/dnsjava/dnsjava/issues/315), [#323](https://togithub.com/dnsjava/dnsjava/issues/323))
- LookupSession doesn't cache CNAMEs ([#316](https://togithub.com/dnsjava/dnsjava/issues/316))
- SimpleResolver can fail with UPDATE response ([#322](https://togithub.com/dnsjava/dnsjava/issues/322))
- Replace synchronization in Zone with locks
([#305](https://togithub.com/dnsjava/dnsjava/issues/305), based on work from [@srijeet0406](https://togithub.com/srijeet0406) in [#306](https://togithub.com/dnsjava/dnsjava/issues/306))
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
3.5.3->3.6.0GitHub Vulnerability Alerts
CVE-2024-25638
Summary
Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones.
Details
DNS Messages are not authenticated. They do not guarantee that
Applications utilizing DNSSEC generally expect these guarantees to be met, however DNSSEC by itself only guarantees the first two. To meet the third guarantee, resolvers generally follow an (undocumented, as far as RFCs go) algorithm such as: (simplified, e.g. lacks DNSSEC validation!)
QNAMEthe name you are querying (e.g. fraunhofer.de.), and initialize a list of aliasesQNAME, return it (and optionally return the list of aliases as well)QNAME, add it to the list of aliases. SetQNAMEto the CNAME's target and go to 2.QNAMEdoes not have any PTR, CNAME and DNAME records using valid NSEC or NSEC3 records. Returnnull.Note that this algorithm relies on NSEC records and thus requires a considerable portion of the DNSSEC specifications to be implemented. For this reason, it cannot be performed by a DNS client (aka application) and is typically performed as part of the resolver logic.
dnsjava does not implement a comparable algorithm, and the provided APIs instead return either
If applications blindly filter the received results for RRs of the desired record type (as seems to be typical usage for dnsjava), a rogue recursive resolver or (on UDP/TCP connections) a network attacker can
Impact
DNS(SEC) libraries are usually used as part of a larger security framework. Therefore, the main misuses of this vulnerability concern application code, which might take the returned records as authentic answers to the request. Here are three concrete examples of where this might be detrimental:
Mitigations
At this point, the following mitigations are recommended:
LookupSession.lookupAsync.GHSA-mmwx-rj87-vfgr
Impact
Users using the
ValidatingResolverfor DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.Patches
Users should upgrade to dnsjava v3.6.0
Workarounds
Although not recommended, only using a non-validating resolver, will remove the vulnerability.
References
https://www.athene-center.de/en/keytrap
GHSA-crjg-w57m-rqqf
Impact
Users using the
ValidatingResolverfor DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.Patches
Users should upgrade to dnsjava v3.6.0
Workarounds
Although not recommended, only using a non-validating resolver, will remove the vulnerability.
References
https://www.athene-center.de/en/keytrap
Release Notes
dnsjava/dnsjava (dnsjava:dnsjava)
### [`v3.6.0`](https://togithub.com/dnsjava/dnsjava/releases/tag/v3.6.0) [Compare Source](https://togithub.com/dnsjava/dnsjava/compare/v3.5.3...v3.6.0) - Fix CVE-2024-25638 (GHSA-cfxw-4h78-h7fw) Lookup and LookupSession do not sanitize input properly, allowing to smuggle additional responses, even with DNSSEC. I would like to thank Thomas Bellebaum from Fraunhofer AISEC ([@bellebaum](https://togithub.com/bellebaum)) and Martin Schanzenbach ([@schanzen](https://togithub.com/schanzen)) for reporting and assisting me with this issue. - Fix CVE-2023-50387 (GHSA-crjg-w57m-rqqf) Denial-of-Service Algorithmic Complexity Attacks (KeyTrap) - Fix CVE-2023-50868 (GHSA-mmwx-rj87-vfgr) NSEC3 closest encloser proof can exhaust CPU resources (KeyTrap) - Fix running all DNSSEC on the specified executor - Add new DNSSEC algorithm constants for SM2SM3 and ECC-GOST12 - Add A/AAAA record constructor with IP address byte array - Validate DS record digest lengths ([#250](https://togithub.com/dnsjava/dnsjava/issues/250)) - Fix NPE in SimpleResolver on invalid responses ([#277](https://togithub.com/dnsjava/dnsjava/issues/277)) - Add support for JEP 418: Internet-Address Resolution SPI ([#290](https://togithub.com/dnsjava/dnsjava/issues/290)) - Full JPMS support ([#246](https://togithub.com/dnsjava/dnsjava/issues/246)) - Pluggable I/O for SimpleResolver ([@chrisruffalo](https://togithub.com/chrisruffalo), [#253](https://togithub.com/dnsjava/dnsjava/issues/253)) - UDP port leak in SimpleResolver ([#318](https://togithub.com/dnsjava/dnsjava/issues/318)) - Fix clean shutdown in app containers when never used ([#319](https://togithub.com/dnsjava/dnsjava/issues/319)) - Fix concurrency issue in I/O clients ([#315](https://togithub.com/dnsjava/dnsjava/issues/315), [#323](https://togithub.com/dnsjava/dnsjava/issues/323)) - LookupSession doesn't cache CNAMEs ([#316](https://togithub.com/dnsjava/dnsjava/issues/316)) - SimpleResolver can fail with UPDATE response ([#322](https://togithub.com/dnsjava/dnsjava/issues/322)) - Replace synchronization in Zone with locks ([#305](https://togithub.com/dnsjava/dnsjava/issues/305), based on work from [@srijeet0406](https://togithub.com/srijeet0406) in [#306](https://togithub.com/dnsjava/dnsjava/issues/306))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.