Bug 1417702 (CVE-2017-2614)
| Summary: | CVE-2017-2614 rhev-m-4: Fails to validate existing expired passwords when changing a password | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | bmcclain, dblechte, eedri, mgoldboi, michal.skrivanek, mperina, sbonazzo, security-response-team, sherold, ykaul, ylavi |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ovirt-engine-extension-aaa-jdbc 1.1.3 | Doc Type: | If docs needed, set a value |
| Doc Text: |
When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools fail to correctly check for the current password if it is expired. This would allow access to an attacker with access to change the password on accounts with expired passwords, gaining access to those accounts.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-02-06 23:45:39 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1416935 | ||
| Bug Blocks: | 1417706 | ||
|
Description
Kurt Seifried
2017-01-30 17:15:25 UTC
Acknowledgments: Name: Dominic Geevarghes (Red Hat) This issue has been addressed in the following products: RHEV Engine version 4.0 Via RHSA-2017:0257 https://rhn.redhat.com/errata/RHSA-2017-0257.html |