Bug 1439622 (CVE-2017-7470)
Summary: | CVE-2017-7470 spacewalk-backend: spacewalk-channel can be used by non-admin or disabled users for performing administrative tasks | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | Lukáš Hellebrandt <lhellebr> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | bkearney, ggainey, gmollett, jdobes, kseifried, lhellebr, meissner, mmraka, security-response-team, taw, thomas, tkasparek, tlestach | ||||
Target Milestone: | --- | Keywords: | Reopened, Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: |
It was found that spacewalk-channel can be used by a non-admin user or disabled users to perform administrative tasks due to an incorrect authorization check in backend/server/rhnChannel.py.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-12-21 13:29:09 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1442130, 1442131 | ||||||
Bug Blocks: | 1439624 | ||||||
Attachments: |
|
Description
Adam Mariš
2017-04-06 10:35:52 UTC
Created attachment 1269322 [details]
Proposed patch
Acknowledgments: Name: Bert Stel (SUSE) Hello Adam, the proposed patch does not seem to fix anything. If you have a reproducer will you mind to share it with us? The reason given to me by our maintainer is: the select previously will always report success as a dictionary is returned (element size 1). the patch changes it to count the entries in this dictionary instead. can you contact our developer Can Bulut Bayburt ( can.bulut.bayburt ) for more information? Steps to Reproduce: 1. install Satellite / Spacewalk server 2. create Admin user 3. create system group Group1 4. create User1, standard (non-admin) user, make it Group1 administrator 5. create User2, standard (non-admin) user 6. create User3, admin user, and disable it 7. register a system into Satellite / Spacewalk and add it to Group1 8. on the system use rhn-channel to add/remove chnnels as user Admin, User1, User2, User3 Actual results: all user can add/remove channels Expected results: only Admin and User1 can manipulate channels Additional info: All users, group and server belong to the same org Statement: This issue affects the versions of spacewalk-backend as shipped with Red Hat Satellite version 5. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. does this mean you are not going to assign a CVE? Has been an embargo date decided already? This issue has been addressed in the following products: Red Hat Satellite 5.7 Red Hat Satellite 5.6 Via RHSA-2017:1259 https://access.redhat.com/errata/RHSA-2017:1259 |