Bug 1333405
Summary: | CVE-2016-3728 foreman: Missing input validation in Smart Proxy allows RCE via TFTP file variant parameter | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Lukas Zapletal <lzap> |
Component: | Foreman Proxy | Assignee: | Lukas Zapletal <lzap> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 6.2.0 | CC: | abaron, aortega, apevec, ayoung, bbuckingham, bkearney, cbillett, chrisw, jschluet, lhh, lpeer, markmc, mburns, mmccune, ohadlevy, rbryant, rhos-maint, satellite6-bugs, sclewis, security-response-team, srevivo, sthirugn, tbrisker, tdecacqu, tjay, tlestach |
Target Milestone: | Unspecified | Keywords: | Security, Triaged |
Target Release: | Unused | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://projects.theforeman.org/issues/14931 | ||
Whiteboard: | impact=moderate,public=20160505,reported=20160505,source=upstream,cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P,cwe=CWE-20,rhn_satellite_6/foreman=new,openstack-foreman/foreman=new,openstack-6-installer/foreman=new | ||
Fixed In Version: | foreman-proxy-1.11.0.4-1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | CVE-2016-3728 | Environment: | |
Last Closed: | 2016-07-27 11:33:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1333378 |
Comment 1
Bryan Kearney
2016-05-05 14:17:46 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/14931 has been closed Verified on Snap 12. Attempting to access a non existent variant leads to 403 Forbidden with relevant message: [root@sat-test-rhel7 foreman]# curl -g http://127.0.0.1:8000/tftp/ls/aa:bb:cc:dd:ee:ff -v * About to connect() to 127.0.0.1 port 8000 (#0) * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 8000 (#0) > GET /tftp/ls/aa:bb:cc:dd:ee:ff HTTP/1.1 > User-Agent: curl/7.29.0 > Host: 127.0.0.1:8000 > Accept: */* > < HTTP/1.1 403 Forbidden < Content-Type: application/json;charset=utf-8 < Content-Length: 36 < X-Content-Type-Options: nosniff < Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-11-13) OpenSSL/1.0.1e < Date: Mon, 23 May 2016 08:01:10 GMT < Connection: Keep-Alive < * Connection #0 to host 127.0.0.1 left intact Unrecognized pxeboot config type: ls Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1501 |