Bug 1497971 (CVE-2017-14955)

Summary: CVE-2017-14955 check-mk: Mishandles certain errors within the failed-login save feature because of a race condition
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrea.veri, sisharma, ssaha, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: check-mk 1.2.8p26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:26:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1497972, 1497973    
Bug Blocks: 1497974    

Description Andrej Nemec 2017-10-03 09:17:58 UTC 
Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, which allows remote attackers to obtain sensitive user information by reading a GUI crash report.

External References:

https://mathias-kettner.de/check_mk_werks.php?werk_id=5208
Comment 1 Andrej Nemec 2017-10-03 09:18:19 UTC 
Created check-mk tracking bugs for this issue:

Affects: epel-all [bug 1497972]
Affects: fedora-all [bug 1497973]
Comment 2 Siddharth Sharma 2017-10-04 04:30:46 UTC 
Upstream Fix:

http://git.mathias-kettner.de/git/?p=check_mk.git;a=patch;h=a4a2cc1f30ff6032899ca80eed29fa26b8898c54
Comment 3 Siddharth Sharma 2017-10-04 04:37:04 UTC 
Statement:

Red Hat Gluster Storage 3 is not affected because affected code is not shipped in the product. Affected code is present in check-mk-multisite rpm which is not shipped in this product.