Bug 607712 (CVE-2010-2236)

Summary: CVE-2010-2236 RHN Satellite / Proxy: Improper monitoring probes input sanitization (ACE)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cperry, ggainey, gmollett, jsherril, kseifried, meissner, mmraka, mzazrivec, security-response-team, taw, thomas, tlestach, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20140210,reported=20100624,source=redhat,cvss2=4.6/AV:N/AC:H/Au:S/C:P/I:P/A:P,rhn_satellite_5.6/Server=affected,rhn_proxy_5.6/Server=wontfix
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-04 05:59:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1022697, 1022698    
Bug Blocks: 730933    
Attachments:
Description Flags
Sanitize backticks in probes none

Description Jan Lieskovsky 2010-06-24 15:55:37 UTC
An improper input sanitization flaw was found in the way Red Hat Network
Satellite performed management of monitoring probes. A remote, authenticated
attacker, with the privilege to administer monitoring probes, could execute
arbitrary code with the privileges of the user, the Red Hat Network Satellite
monitoring service is running under, by providing a specially-crafted values 
for certain options of the monitoring probe display.

References:
  For further information about Red Hat Network Satellite monitoring
entitlements and management of monitoring probes, please refer to the
reference guide of your Red Hat Network Satellite installation.

Comment 8 Jan Lieskovsky 2010-06-24 16:57:12 UTC
This issue affects the following versions: 

  v4.0.0, v4.1.0, v4.2.0, v5.0.0, v5.1.0, v5.2.0, v5.3.0

of Red Hat Network Satellite.

This issue affects the v5.3.0 version of Red Hat Network Proxy.

Comment 9 Vincent Danen 2010-06-24 17:13:56 UTC
This issue has been assigned CVE-2010-2236.

Comment 22 Grant Gainey 2013-11-05 19:44:12 UTC
Created attachment 819987 [details]
Sanitize backticks in probes

This patch sanitizes probes by removing backticks.

Comment 26 Kurt Seifried 2014-03-04 05:59:25 UTC
Statement:

The Red Hat Security Response Team has rated this issue as having Moderate security impact. Satellite 5 is currently in the Production 2 phase of its lifecycle, as such this issue is not currently planned to be addressed in future updates. For additional information, refer to the Satellite Life Cycle: https://access.redhat.com/site/support/policy/updates/satellite page.