Bug 1155708 (CVE-2014-3712)

Summary: CVE-2014-3712 Katello: user parameters passed to to_sym
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bkearney, cbillett, cpelland, ehelms, jrusnack, katello-bugs, kseifried, mmccune, tjay, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://projects.theforeman.org/issues/8263
Whiteboard: impact=low,public=20141022,reported=20141016,source=redhat,cvss2=3.5/AV:N/AC:M/Au:S/C:N/I:N/A:P,rhn_satellite_6/katello=affected,rhn_satellite_6/ruby193-rubygem-katello=affected,sam-1/katello=affected,cwe=CWE-20->CWE-400
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-04 05:29:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1155711, 1155714, 1161010    
Bug Blocks: 1155710    

Description Kurt Seifried 2014-10-22 16:50:25 UTC
Jan Rusnacko of Red Hat reports:

Katello code exposes potential to_sym Denial of Service attack vector from user input parameters. The two places identified are:

https://github.com/Katello/katello/blob/9231e24f93fa804e557fc95637cfa2c5bb92f6a7/app/controllers/katello/content_search_controller.rb#L617

https://github.com/Katello/katello/blob/9231e24f93fa804e557fc95637cfa2c5bb92f6a7/app/controllers/katello/api/api_controller.rb#L87

This type of attack is documented here - http://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Secure_Ruby_Development_Guide/RubySymbols.html

This has been confirmed in testing by Eric Helms of Red Hat.

Comment 1 Kurt Seifried 2014-10-22 16:52:46 UTC
*** Bug 1153824 has been marked as a duplicate of this bug. ***

Comment 4 Murray McAllister 2014-10-23 01:43:08 UTC
Acknowledgements:

This issue was discovered by Jan Rusnacko of Red Hat Product Security.

Comment 5 Eric Helms 2014-11-04 16:05:57 UTC
Created redmine issue http://projects.theforeman.org/issues/8263 from this bug