-
Type:
Bug
-
Resolution: Works as Designed
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
Labels:None
-
Server Security
-
ALL
-
Security 2023-02-20, Security 2023-03-06
Summary
Historically we haven't allowed x509 auth when the client certificate O/OU/DC matched the server certificate O/OU/DC.
The intention of SERVER-45938 was to provide a parameter to disable the O/OU/DC check and disable it automatically when the clusterAuthMode is keyFile (because in this case we don't care about the cert clash as there would be no x509 cluster auth).
The enforceUserClusterSeparation parameter was introduced to override this behaviour. Code was added to the createUser and authentication commands accordingly.
The logic for the authentication command has been implemented - I believe - incorrectly. Currently, the O/OU/DC client/server validation only takes place if the clusterAuthMode does not allow X509 (i.e keyFile mode). For X509 clusterAuthMode, no validation is performed, only a log warning.
We actually want the validation to be performed on the X509 code path only - with no validation when using keyFile.
The validation logic for theĀ createUser command and configuration check on process startup seem correct.
Faulty logic:
Motivation
How does this affect the end user?
Possible security implications due to faulty validation logic.
Currently, when X509 clusterAuth is enabled, any client certificate that matches the server O/OU/DC will bypass validation and be granted __system privileges.
How likely is it that this problem or use case will occur?
Fairly rare.
- is caused by
-
-
- Closed
-
- is related to
-
DOCS-15864 [SERVER] documentation for enforceUserClusterSeparation parameter
-
- Closed
-
- related to
-
SERVER-45938 Allow matching O/OU/DC in client x509 cert if clusterMode:keyFile
-
- Closed
-