Bug 1649347 (CVE-2018-4700) - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection
Summary: CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-4700
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1651575 1657750 1657859
Blocks: 1649349
TreeView+ depends on / blocked
 
Reported: 2018-11-13 12:46 UTC by Pedro Sampaio
Modified: 2021-02-16 22:47 UTC (History)
15 users (show)

Fixed In Version: cups 2.2.10
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-31 22:33:27 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1050 0 None None None 2020-03-31 19:16:15 UTC

Description Pedro Sampaio 2018-11-13 12:46:54 UTC 
A flaw was found in the CUPS printing server. Insufficient randomness makes session cookies predictable, breaking CSRF protection.
Comment 8 Stefan Cornelius 2018-12-10 11:13:43 UTC 
Patch:
https://github.com/apple/cups/commit/b9ff93ce913ff633a3f667317e5a81fa7fe0d5d3
Comment 9 Stefan Cornelius 2018-12-10 11:15:27 UTC 
Created cups tracking bugs for this issue:

Affects: fedora-all [bug 1657750]
Comment 10 Zdenek Dohnal 2018-12-10 13:59:40 UTC 
Stefan, would you mind creating the bugzilla for RHEL 8 too?
Comment 13 Zdenek Dohnal 2019-06-04 12:52:33 UTC 
*** Bug 1695929 has been marked as a duplicate of this bug. ***
Comment 14 errata-xmlrpc 2020-03-31 19:16:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1050 https://access.redhat.com/errata/RHSA-2020:1050
Comment 15 Product Security DevOps Team 2020-03-31 22:33:27 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-4700
Comment 16 Tomas Hoger 2020-08-19 20:41:15 UTC 
Few notes on the history of CVE-2018-4700 vs. CVE-2018-4300.

The CVE that was originally used for this issue was CVE-2018-4700.  That CVE appeared in the upstream commit (see comment 8):

https://github.com/apple/cups/commit/b9ff93ce913ff633a3f667317e5a81fa7fe0d5d3

and it was also used in the CHANGES file in the fixed cups version 2.2.10.  This CVE was used in Red Hat advisory RHSA-2020:1050 - see comment 14.

Some time later, Mitre made a query to upstream if CVE-2018-4700 was the right one to use here, or if CVE-2018-4300 should have been used instead:

https://github.com/apple/cups/issues/5561

which led to upstream amending CHANGES file to list CVE-2018-4300 instead:

https://github.com/apple/cups/commit/35064a25961c2d874ce6e1e90d947ad59e9a78d6

This change was first included in version 2.2.12.

Release announcement on github for version 2.2.10 was retroactively updated to list CVE-2018-4300 as well:

https://github.com/apple/cups/releases/tag/v2.2.10

Note that the Release Notes page cups.org currently lists CVE-2018-4700:

https://www.cups.org/doc/relnotes.html#020210

Mitre marked CVE-2018-4700 as rejected as duplicate of CVE-2018-4300.
Comment 17 Doran Moppert 2020-08-20 01:19:26 UTC 
Statement:

This vulnerability was originally assigned CVE-2018-4700, but after the publication of security errata the identifier was changed to CVE-2018-4300.  Both identifiers refer to the same vulnerability.  Since some sources use CVE-2018-4700 and others use CVE-2018-4300, Red Hat security advisories for this vulnerability have been amended to include both identifiers.
Note You need to log in before you can comment on or make changes to this bug.