Bug 1365799 (CVE-2016-2788)

Summary: CVE-2016-2788 mcollective: Improper validation of fields in MCollective pings
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, admiller, carnil, ccoleman, dedgar, dmcphers, jgoulding, jialiu, joelsmith, jokerman, kseifried, lmeyer, mmccomas, tiwillia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mcollective 2.8.9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-11 02:15:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1365800, 1365801, 1374963    
Bug Blocks: 1365813    

Description Andrej Nemec 2016-08-10 08:54:50 UTC 
A vulnerability was found in mcollective. Remote code execution could be achieved due to improper field validation in 'mco ping' command.

External References:

https://puppet.com/security/cve/cve-2016-2788
Comment 1 Andrej Nemec 2016-08-10 08:55:50 UTC 
Created mcollective tracking bugs for this issue:

Affects: fedora-all [bug 1365800]
Affects: epel-all [bug 1365801]
Comment 3 Kurt Seifried 2016-09-11 02:15:00 UTC 
Statement:

This issue affects Red Hat Enterprise OpenShift 2. Red Hat Product Security has rated this issue as having Moderate security impact. A futur
e update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.