Headline
CVE-2023-40273: Remove user sessions when resetting password by potiuk · Pull Request #33347 · apache/airflow
The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that).
With this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour.
Users of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability.
When user’s password is reset, we also remove all DB sessions for that user.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.
potiuk marked this pull request as ready for review
August 13, 2023 14:41
Few screenshots:
Case for securecookie:
Huge number of rows (8!)
I already added the missing space BTW.
- The airflow db clean command
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit, IMHO I think we should not cleanup the session table on each reset password, but if the others are ok with that, I would be ok too
When user’s password is reset, we also remove all DB sessions for that user - for database session backend.
In case we are using securecookie mechanism, resetting password does not invalidate old sessions, so instead we are displaying warning to the user performing the reset that in order to clear existing sessions of the user, the secure_key needs to be changed and it will invalidate all sessions for all users.
Protection has been added in case the number of sessions in the DB is too big to effectively scan and remove sessions for the user. In such case we print warning for the user that sessions have not been reset, and we suggest to improve the way their deployment mechanisms create too many sessions - by either changing the way how automation of the API calls is done and/or by purging the sessions regularly by "airflow db clean".
Co-authored-by: Hussein Awala [email protected]
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
potiuk deleted the add-session-deleting-on-password-reset branch
August 13, 2023 19:21
ephraimbuddy pushed a commit that referenced this pull request
Aug 14, 2023
* Remove user sessions when resetting password
When user’s password is reset, we also remove all DB sessions for that user - for database session backend.
In case we are using securecookie mechanism, resetting password does not invalidate old sessions, so instead we are displaying warning to the user performing the reset that in order to clear existing sessions of the user, the secure_key needs to be changed and it will invalidate all sessions for all users.
Protection has been added in case the number of sessions in the DB is too big to effectively scan and remove sessions for the user. In such case we print warning for the user that sessions have not been reset, and we suggest to improve the way their deployment mechanisms create too many sessions - by either changing the way how automation of the API calls is done and/or by purging the sessions regularly by "airflow db clean".
* Update airflow/auth/managers/fab/security_manager/override.py
Co-authored-by: Hussein Awala [email protected]
Co-authored-by: Hussein Awala [email protected] (cherry picked from commit 2caa186)
ferruzzi pushed a commit to aws-mwaa/upstream-to-airflow that referenced this pull request
Aug 17, 2023
* Remove user sessions when resetting password
When user’s password is reset, we also remove all DB sessions for that user - for database session backend.
In case we are using securecookie mechanism, resetting password does not invalidate old sessions, so instead we are displaying warning to the user performing the reset that in order to clear existing sessions of the user, the secure_key needs to be changed and it will invalidate all sessions for all users.
Protection has been added in case the number of sessions in the DB is too big to effectively scan and remove sessions for the user. In such case we print warning for the user that sessions have not been reset, and we suggest to improve the way their deployment mechanisms create too many sessions - by either changing the way how automation of the API calls is done and/or by purging the sessions regularly by "airflow db clean".
* Update airflow/auth/managers/fab/security_manager/override.py
Co-authored-by: Hussein Awala [email protected]
Co-authored-by: Hussein Awala [email protected]
Related news
The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that). With this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour. Users of Apache Airflow are advised to upgrade to ...