<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 22:22:45 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[SUP-81] Vulnerability to denial of service attack</title>
                <link>https://folio-org.atlassian.net/browse/SUP-81</link>
                <project id="10247" key="SUP">Support</project>
                    <description>&lt;p&gt;&lt;b&gt;Overview:&lt;/b&gt; A library raised the following issue after having several users rendered inactive due to invalid credential attempts. Please note that identifying information has been anonymized for this ticket submission:&lt;/p&gt;

&lt;p&gt;A system which has a publicly accessible log-in page and permanently locks an account after failed authentication attempts is vulnerable to a denial-of-service attack, which is aggravated if that system doesn&apos;t have source-based rate-limiting. To estimate our vulnerability, I created and set passwords for 10,000 test accounts in &lt;span class=&quot;error&quot;&gt;&amp;#91;a&amp;#93;&lt;/span&gt; test FOLIO instance.&lt;span class=&quot;error&quot;&gt;&amp;#91;2&amp;#93;&lt;/span&gt; Then I hastily put together and executed a command to lock those accounts:&lt;span class=&quot;error&quot;&gt;&amp;#91;3&amp;#93;&lt;/span&gt; It locked all 10,000 in less than twenty minutes.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;
&lt;ol&gt;
	&lt;li&gt;Our production FOLIO instance has &lt;span class=&quot;error&quot;&gt;&amp;#91;tens of thousands of&amp;#93;&lt;/span&gt;&#160;active accounts.&lt;/li&gt;
&lt;/ol&gt;


&lt;p&gt;&#160;&lt;/p&gt;
&lt;ol&gt;
	&lt;li&gt;To approximate the abilities of a mischievous freshman, I gave&lt;/li&gt;
&lt;/ol&gt;


&lt;p&gt;&#160;&#160;&#160;&#160; myself ten minutes to come up with this: I used my browser&apos;s&lt;/p&gt;

&lt;p&gt;&#160;&#160;&#160;&#160; debugger to capture the form submission at the log-in page as a&lt;/p&gt;

&lt;p&gt;&#160;&#160;&#160;&#160; Curl command and saved that as a script with the username&lt;/p&gt;

&lt;p&gt;&#160;&#160;&#160;&#160; parameterized such that:&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;&#160;&#160;&#160;&#160;&#160;&#160; ./fail-login &lt;span class=&quot;error&quot;&gt;&amp;#91;username&amp;#93;&lt;/span&gt;&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;&#160;&#160;&#160;&#160; would make one failed attempt to log in to my account. I then&lt;/p&gt;

&lt;p&gt;&#160;&#160;&#160;&#160; executed:&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;&#160;&#160;&#160;&#160;&#160;&#160; cat users users users users users |&lt;/p&gt;

&lt;p&gt;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; xargs parallel-moreutils -j 100 \&lt;/p&gt;

&lt;p&gt;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &quot;./fail-login.sh&quot; &amp;#8211;&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;&#160;&#160;&#160;&#160; Our hypothetical freshman wouldn&apos;t have trouble getting a nearly&lt;/p&gt;

&lt;p&gt;&#160;&#160;&#160;&#160; complete list of real usernames to use, since anyone on &lt;span class=&quot;error&quot;&gt;&amp;#91;the university&amp;#39;s&amp;#93;&lt;/span&gt;&lt;/p&gt;

&lt;p&gt;&#160;&#160;&#160;&#160; network can retrieve a list of campus usernames from &lt;span class=&quot;error&quot;&gt;&amp;#91;the university&amp;#39;s&amp;#93;&lt;/span&gt;&lt;/p&gt;

&lt;p&gt;&#160;&#160;&#160;&#160; directory server or several other sources.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;</description>
                <environment></environment>
        <key id="78950">SUP-81</key>
            <summary>Vulnerability to denial of service attack</summary>
                <type id="10001" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium">Bug</type>
                                            <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="1" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/open.png" description="The issue is open and ready for the assignee to start work on it.">Open</status>
                    <statusCategory id="2" key="new" colorName="blue-gray"/>
                                    <resolution id="-1">Unresolved</resolution>
                                                        <assignee accountid="-1">Unassigned</assignee>
                                                                <reporter accountid="632e12f7748d1bfcb85875fd">Molly Driscoll</reporter>
                                    <labels>
                            <label>security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Tue, 6 Sep 2022 16:45:47 +0000</created>
                <updated>Thu, 27 Oct 2022 15:42:32 +0000</updated>
                                                                                <due></due>
                            <votes>0</votes>
                                    <watches>5</watches>
                                                                <comments>
                                                            <comment id="187686" author="5af5e627525ba96b58654f12" created="Tue, 6 Sep 2022 17:04:32 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ab8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; class=&quot;user-hover&quot; rel=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; data-account-id=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; accountid=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; rel=&quot;noreferrer&quot;&gt;Jakub Skoczen&lt;/a&gt; Which dev team do you think this should be assigned to?&lt;/p&gt;</comment>
                                                            <comment id="187687" author="5af5e627525ba96b58654f12" created="Wed, 7 Sep 2022 05:25:03 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cf6c546b87c300f36eb7b9a&quot; class=&quot;user-hover&quot; rel=&quot;5cf6c546b87c300f36eb7b9a&quot; data-account-id=&quot;5cf6c546b87c300f36eb7b9a&quot; accountid=&quot;5cf6c546b87c300f36eb7b9a&quot; rel=&quot;noreferrer&quot;&gt;Craig McNally&lt;/a&gt; What do you think in terms of Dev Team and priority? Thank you!&lt;/p&gt;</comment>
                                                            <comment id="187688" author="5af5e627525ba96b58654f12" created="Thu, 13 Oct 2022 05:23:09 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ab8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; class=&quot;user-hover&quot; rel=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; data-account-id=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; accountid=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; rel=&quot;noreferrer&quot;&gt;Jakub Skoczen&lt;/a&gt; and &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cf6c546b87c300f36eb7b9a&quot; class=&quot;user-hover&quot; rel=&quot;5cf6c546b87c300f36eb7b9a&quot; data-account-id=&quot;5cf6c546b87c300f36eb7b9a&quot; accountid=&quot;5cf6c546b87c300f36eb7b9a&quot; rel=&quot;noreferrer&quot;&gt;Craig McNally&lt;/a&gt; This bug has been sitting for a month - not assigned to a dev team or a particular project. Should it maybe be mod-users? As long as it&apos;s not assigned to a dev team, it&apos;s likely not being tracked or reviewed by a PO. &lt;/p&gt;</comment>
                                                            <comment id="187689" author="5cf6c546b87c300f36eb7b9a" created="Thu, 13 Oct 2022 17:37:35 +0000"  >&lt;p&gt;Thanks for bringing this to our attention &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5af5e627525ba96b58654f12&quot; class=&quot;user-hover&quot; rel=&quot;5af5e627525ba96b58654f12&quot; data-account-id=&quot;5af5e627525ba96b58654f12&quot; accountid=&quot;5af5e627525ba96b58654f12&quot; rel=&quot;noreferrer&quot;&gt;Ann-Marie Breaux&lt;/a&gt;.&#160; I&apos;m going to add the &apos;security&apos; tag so it&apos;s on the security team&apos;s radar.&lt;/p&gt;</comment>
                                                            <comment id="187690" author="5ee89462f7aa140abd82d11d" created="Thu, 20 Oct 2022 15:33:29 +0000"  >&lt;p&gt;Institutions that use SAML Single-Sign-On are not affected. Please put only affected institutions into the &quot;Affected institutions&quot; field.&lt;/p&gt;</comment>
                                                            <comment id="187691" author="712020:d28f3303-d132-4a90-a1e4-02884a0fd949" created="Thu, 20 Oct 2022 15:38:40 +0000"  >&lt;p&gt;The security group has reviewed this and this is the usaual way of logins to prevent brute force attacks. Usually usernames are not broadly known.&lt;/p&gt;

&lt;p&gt;A way could be to limit access at sysops level to prevent one IP to flood the login with requests. We might provide some more input soon.&lt;/p&gt;</comment>
                                                            <comment id="187692" author="5ee89462f7aa140abd82d11d" created="Fri, 21 Oct 2022 13:38:52 +0000"  >&lt;p&gt;Relevant OWASP information:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;&lt;a href=&quot;https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#account-lockout&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#account-lockout&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
</comment>
                                                            <comment id="187693" author="5ee89462f7aa140abd82d11d" created="Fri, 21 Oct 2022 13:46:39 +0000"  >&lt;p&gt;The POST /authn/login is the back-end API involved:&lt;br/&gt;
&lt;a href=&quot;https://s3.amazonaws.com/foliodocs/api/mod-login/r/login.html&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://s3.amazonaws.com/foliodocs/api/mod-login/r/login.html&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://github.com/folio-org/mod-login#module-properties-to-set-up-at-mod-configuration&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/mod-login#module-properties-to-set-up-at-mod-configuration&lt;/a&gt;&lt;/p&gt;</comment>
                                                            <comment id="187694" author="5af5e627525ba96b58654f12" created="Fri, 21 Oct 2022 20:32:12 +0000"  >&lt;p&gt;Is any team taking ownership of this Jira, at least for their backlog? If not, I can put &quot;Other dev&quot; on it, and it can just disappear into the Jira void.&lt;/p&gt;</comment>
                                                            <comment id="187695" author="632e12f7748d1bfcb85875fd" created="Fri, 21 Oct 2022 20:50:11 +0000"  >&lt;p&gt;Thank you for the additional information &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt; . The reason that I added ALL to the affected institutions is because even those using SAML SSO still have a username and password authentication option present on their login screens. So, if a username is known (or guessed) this could still be used as a method for malicious lockout. In fact, it was an institution with SSO login configured that initially reported the issue. As I understand, even if this was not present on the login UI, this type of attack could still be initiated directly to mod-login. I will certainly read through the resources that you posted and reach out with any further questions! Have a nice weekend!&lt;/p&gt;</comment>
                                                            <comment id="187696" author="5cf6c546b87c300f36eb7b9a" created="Tue, 25 Oct 2022 13:46:37 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5af5e627525ba96b58654f12&quot; class=&quot;user-hover&quot; rel=&quot;5af5e627525ba96b58654f12&quot; data-account-id=&quot;5af5e627525ba96b58654f12&quot; accountid=&quot;5af5e627525ba96b58654f12&quot; rel=&quot;noreferrer&quot;&gt;Ann-Marie Breaux&lt;/a&gt; The security team will discuss this week and take &lt;em&gt;some&lt;/em&gt; (TBD) action....&#160; e.g. find/assign an appropriate team, close as &quot;won&apos;t do&quot;, etc.&#160;&lt;/p&gt;</comment>
                                                            <comment id="187697" author="5cf6c546b87c300f36eb7b9a" created="Thu, 27 Oct 2022 15:42:32 +0000"  >&lt;p&gt;The security team discussed this and have a few ideas that may be worth exploring:&lt;/p&gt;
&lt;ol&gt;
	&lt;li&gt;Send a notification to the user upon lockout, with a link that unlock the account.
	&lt;ol&gt;
		&lt;li&gt;This will likely have dependency implications... mod-login depending on mod-email, etc.&lt;/li&gt;
	&lt;/ol&gt;
	&lt;/li&gt;
	&lt;li&gt;Only lock the user out for a configurable amount of time, then automatically unlock their account.
	&lt;ol&gt;
		&lt;li&gt;This defeats the possibility of brute force attacks.&lt;/li&gt;
	&lt;/ol&gt;
	&lt;/li&gt;
&lt;/ol&gt;


&lt;p&gt;NOTE:&#160; While stripes call mod-users-bl&apos;s login endpoint, the fix needs to happen in mod-login since the attacker can hit the mod-login APIs directly.&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10144"><![CDATA[Core: Platform]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10106" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>RCA Group</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10367"><![CDATA[TBD]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i05deo:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Tue, 6 Sep 2022 17:04:32 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                </customfields>
    </item>
</channel>
</rss>