Bug 1220853 (CVE-2015-3199)

Summary: CVE-2015-3199 foreman_discovery: auto provision rule does not enforce host group association to org/location
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: abaron, anthomas, aortega, apevec, ayoung, bkearney, chrisw, cpelland, cperry, dallan, dcleal, eglynn, ehelms, ggainey, gkotton, jjoyce, jrusnack, jschluet, juwatts, katello-bugs, lhh, lpeer, lsvaty, markmc, mburns, mgarciac, mhulan, mmccune, nmoumoul, ohadlevy, osousa, pcreech, pgrist, rbryant, rchan, rhos-maint, sclewis, smallamp, tjay, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
[REJECTED CVE] It was found that the Foreman Discovery plug-in's auto provision rules did not correctly enforce group association to an organization or a location. Steps to reproduce: 1. log in with a user that has 2 locations (A, B) 2. discover a host and make sure it is connected to location B 3. create a hostgroup in location A 4. create a discovery rule in location B to match the discovered host and use the hostgroup from 3 5. log in with a user with permissions to location B only 6. you can see in the discovery rules index page the rule with the hostgroup you created (you can't access the hostgroup) 7. auto provision the discovered host 8. go to hosts - the host was provisioned using a hostgroup the second user doesn't have permissions for
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-04 15:37:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1220855    

Description Martin Prpič 2015-05-12 15:38:04 UTC 
It was found that the Foreman Discovery plug-in's auto provision rules did not correctly enforce group association to an organization or a location.

Steps to reproduce:

1. log in with a user that has 2 locations (A, B)
2. discover a host and make sure it is connected to location B
3. create a hostgroup in location A
4. create a discovery rule in location B to match the discovered host and use the hostgroup from 3
5. log in with a user with permissions to location B only
6. you can see in the discovery rules index page the rule with the hostgroup you created (you can't access the hostgroup)
7. auto provision the discovered host
8. go to hosts - the host was provisioned using a hostgroup the second user doesn't have permissions for

Upstream issue with additional details:

http://projects.theforeman.org/issues/10469
Comment 1 Kurt Seifried 2015-07-04 15:37:14 UTC 
"This was reported by Ori Rabin to foreman-security (thanks!) and a CVE identifier was filed under CVE-2015-3199, but it turned out this does not affect any released upstream version."