Bug 1417702 (CVE-2017-2614)

Summary: CVE-2017-2614 rhev-m-4: Fails to validate existing expired passwords when changing a password
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bmcclain, dblechte, eedri, mgoldboi, michal.skrivanek, mperina, sbonazzo, security-response-team, sherold, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ovirt-engine-extension-aaa-jdbc 1.1.3 Doc Type: If docs needed, set a value
Doc Text:
When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools fail to correctly check for the current password if it is expired. This would allow access to an attacker with access to change the password on accounts with expired passwords, gaining access to those accounts.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-06 23:45:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1416935    
Bug Blocks: 1417706    

Description Kurt Seifried 2017-01-30 17:15:25 UTC
Dominic Geevarghese of Red Hat reports:

RHV 4 Manager fails to validate expired passwords when prompted to change a password.

Comment 1 Kurt Seifried 2017-01-30 17:15:36 UTC
Acknowledgments:

Name: Dominic Geevarghes (Red Hat)

Comment 4 errata-xmlrpc 2017-02-06 21:30:13 UTC
This issue has been addressed in the following products:

  RHEV Engine version 4.0

Via RHSA-2017:0257 https://rhn.redhat.com/errata/RHSA-2017-0257.html