Bug 1465448 (CVE-2017-7530)

Summary: CVE-2017-7530 cfme: Execution of arbitrary methods through filter param
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cpelland, dajohnso, dclarizi, gblomqui, gmccullo, gtanzill, hhudgeon, jfrey, jhardy, jprause, kseifried, obarenbo, roliveri, security-response-team, simaishi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cfme 5.7.3, cfme 5.8.1 Doc Type: If docs needed, set a value
Doc Text:
It was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users. An attacker could use this to execute actions they should not be allowed to (e.g. destroying VMs).
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-02 19:12:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1467720    
Bug Blocks: 1435396, 1465449    

Description Adam Mariš 2017-06-27 13:00:17 UTC
It was found that privilege check is missing when invoking arbitrary methods via filtering on VMs that MiqExpression will execute that is triggerable by API users.

Comment 1 Adam Mariš 2017-06-27 13:00:25 UTC
Acknowledgments:

Name: Tim Wade (Red Hat)

Comment 5 errata-xmlrpc 2017-08-02 17:35:43 UTC
This issue has been addressed in the following products:

  CloudForms Management Engine 5.8

Via RHSA-2017:1758 https://access.redhat.com/errata/RHSA-2017:1758