Bug 1013076 (CVE-2013-4386)

Summary: CVE-2013-4386 Foreman: host and host group parameter SQL injection
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, athomas, ayoung, bkearney, chrisw, cpelland, cwolfe, dcleal, gkotton, iheim, jrusnack, kseifried, lhh, markmc, mmccune, ohadlevy, ohochman, rbryant, sclewis, security-response-team, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-20 05:24:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1013078, 1013079    
Bug Blocks: 1013084    

Description Kurt Seifried 2013-09-27 19:26:54 UTC 
Dominic Cleal of Red Hat reported an SQL injection vulnerability in 
Foreman.

Host and host group parameter overrides (lookup_values) use a hand-crafted SQL 
query to associate the host/host group to the lookup_value object, as it 
searches for lookup_values with the "fqdn=foo.example.com" or "hostgroup=Foo" 
syntaxes. The association calls a method on the host or host group for the 
matcher string, then puts the response straight into SQL query. By changing 
the host's FQDN or the host group's label, arbitrary SQL can be injected.

External references:
http://projects.theforeman.org/issues/3160)
Comment 3 Murray McAllister 2013-09-30 09:15:48 UTC 
Acknowledgements:

This issue was discovered by Dominic Cleal of Red Hat.
Comment 6 Dominic Cleal 2013-10-07 12:19:21 UTC 
Foreman 1.2.3 has been released to fix this issue:
https://groups.google.com/forum/#!topic/foreman-announce/GKMNXM66Z84

Patches:
https://github.com/theforeman/foreman/commit/3dd4c0e5 (develop)
https://github.com/theforeman/foreman/commit/a3564bcb (1.3)
https://github.com/theforeman/foreman/commit/911e3f15 (1.2)
Comment 7 errata-xmlrpc 2013-11-14 17:32:25 UTC 
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:1522 https://rhn.redhat.com/errata/RHSA-2013-1522.html