Bug 1340763 (CVE-2016-4471)

Summary: CVE-2016-4471 cfme: Privilege escalation causing arbitrary code execution
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: cpelland, dajohnso, dclarizi, gblomqui, gmccullo, gtanzill, hhudgeon, jfrey, jhardy, jprause, jrafanie, kseifried, obarenbo, roliveri, security-response-team, simaishi, slukasik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-12 21:25:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1353731    
Bug Blocks: 1340766    

Description Adam Mariš 2016-05-30 09:14:22 UTC 
It was found that attacker having the access to appliance filesystem is able to execute arbitrary code under the same privileges as appliance runs. This issue is present since upstream commit f077196c99feb874e5cba8b93c1f8dfe26421c1b.

Upstream patch:

https://github.com/ManageIQ/manageiq/pull/7856
Comment 2 Adam Mariš 2016-05-30 09:47:39 UTC 
Acknowledgments:

Name: Simon Lukasik (Red Hat)
Comment 4 Kurt Seifried 2016-08-12 21:25:00 UTC 
This issue was fixed in CloudForms 4.1 in erratum RHBA-2016:1348.