Bug 1439622 (CVE-2017-7470)
| Summary: | CVE-2017-7470 spacewalk-backend: spacewalk-channel can be used by non-admin or disabled users for performing administrative tasks | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Lukáš Hellebrandt <lhellebr> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | bkearney, ggainey, gmollett, jdobes, kseifried, lhellebr, meissner, mmraka, security-response-team, taw, thomas, tkasparek, tlestach | ||||
| Target Milestone: | --- | Keywords: | Reopened, Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: |
It was found that spacewalk-channel can be used by a non-admin user or disabled users to perform administrative tasks due to an incorrect authorization check in backend/server/rhnChannel.py.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-12-21 13:29:09 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1442130, 1442131 | ||||||
| Bug Blocks: | 1439624 | ||||||
| Attachments: |
|
||||||
|
Description
Adam Mariš
2017-04-06 10:35:52 UTC
Created attachment 1269322 [details]
Proposed patch
Acknowledgments: Name: Bert Stel (SUSE) Hello Adam, the proposed patch does not seem to fix anything. If you have a reproducer will you mind to share it with us? The reason given to me by our maintainer is: the select previously will always report success as a dictionary is returned (element size 1). the patch changes it to count the entries in this dictionary instead. can you contact our developer Can Bulut Bayburt ( can.bulut.bayburt ) for more information? Steps to Reproduce: 1. install Satellite / Spacewalk server 2. create Admin user 3. create system group Group1 4. create User1, standard (non-admin) user, make it Group1 administrator 5. create User2, standard (non-admin) user 6. create User3, admin user, and disable it 7. register a system into Satellite / Spacewalk and add it to Group1 8. on the system use rhn-channel to add/remove chnnels as user Admin, User1, User2, User3 Actual results: all user can add/remove channels Expected results: only Admin and User1 can manipulate channels Additional info: All users, group and server belong to the same org Statement: This issue affects the versions of spacewalk-backend as shipped with Red Hat Satellite version 5. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. does this mean you are not going to assign a CVE? Has been an embargo date decided already? This issue has been addressed in the following products: Red Hat Satellite 5.7 Red Hat Satellite 5.6 Via RHSA-2017:1259 https://access.redhat.com/errata/RHSA-2017:1259 |