Bug 1369285 (CVE-2016-6338)

Summary: CVE-2016-6338 ovirt-engine: webadmin log out must logout all sessions
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bmcclain, dblechte, eedri, gshereme, lsurette, mgoldboi, michal.skrivanek, nobody, security-response-team, srevivo, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the ovirt-engine webadmin session would not properly enforce timeouts. Browser sessions would remain logged in beyond the administratively configured session timeout period.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:57:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1370632, 1370633, 1370890, 1471325    
Bug Blocks: 1368366    

Description Kurt Seifried 2016-08-23 02:11:52 UTC 
Greg Sheremeta of Red Hat reports:

We've found a scenario a webadmin session won't timeout and force a logout. We had a CVE on this before.

To duplicate: navigate to the Data Centers tab. Select a data center. Switch to another browser tab and wait longer than the engine timeout period [1] to switch back to webadmin. You won't be logged out -- even though you should be.

Basically, idling while certain things in the UI are selected (a data center, a cluster -- maybe others?) will prevent the session from timing out. We see three gluster queries that are repeating and keeping the session open. Alexander is looking for others. We know the fix -- just have to find them all.
Comment 1 Kurt Seifried 2016-08-23 02:12:01 UTC 
Acknowledgments:

Name: Greg Sheremeta (Red Hat)
Comment 4 Kurt Seifried 2016-08-28 02:07:20 UTC 
Created ovirt-engine tracking bugs for this issue:

Affects: fedora-all [bug 1370890]
Comment 5 Oved Ourfali 2016-08-30 12:15:17 UTC 
*** Bug 1370318 has been marked as a duplicate of this bug. ***
Comment 7 errata-xmlrpc 2017-12-12 09:20:37 UTC 
This issue has been addressed in the following products:

  RHEV Engine version 4.1

Via RHSA-2017:3427 https://access.redhat.com/errata/RHSA-2017:3427