Bug 1542165 (CVE-2018-1000095)

Summary: CVE-2018-1000095 ovirt-engine: stored XSS in snapshot description and comment
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmcclain, dblechte, dmoppert, eedri, lsurette, mgoldboi, michal.skrivanek, nobody, psampaio, Rhev-m-bugs, security-response-team, sherold, srevivo, ykaul
Target Milestone: ---Keywords: Regression, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A stored XSS vulnerability was discovered in ovirt-engine 4.2. Sanitation of HTML elements was not applied correctly to all fields, shows in the management console. An attacker with VM Admin permissions could use this vulnerability to launch XSS attacks against other VM or Cluster administrators.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:39:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1542168    

Description Pedro Sampaio 2018-02-05 18:13:42 UTC 
A stored XSS was found in  ovirt-engine 4.2.1.1 in the snapshot's description and comment.
Comment 1 Allon Mureinik 2018-02-06 15:56:46 UTC 
Hi Pedro,

I'm the engineering manager of the RHV Storage team, which should probably take ownership of this BZ.
There's not to much to go on here (I'm guessing it's something like "create a snapshot with a description that contains javascript").
Can you provide more formal steps? Or perhaps they are in the blocked bug I don't have access to - could you add me as a CC there?

Thanks!

P.S.
Adding the "Regression" keyword. This issue was reproduced with the above steps in 4.2, but not in the latest 4.1.z.
Comment 2 Doran Moppert 2018-02-07 02:52:48 UTC 
(In reply to Allon Mureinik from comment #1)
> I'm the engineering manager of the RHV Storage team, which should probably
> take ownership of this BZ.
> There's not to much to go on here (I'm guessing it's something like "create
> a snapshot with a description that contains javascript").
> Can you provide more formal steps? Or perhaps they are in the blocked bug I
> don't have access to - could you add me as a CC there?

Hi Allon,

The details are recorded in product bug 1540925, which awels@ owns.  It seems the issue is not specific to Storage but affects various fields in Ovirt front-end.
Comment 3 Allon Mureinik 2018-02-07 08:00:58 UTC 
(In reply to Doran Moppert from comment #2)
> (In reply to Allon Mureinik from comment #1)
> > I'm the engineering manager of the RHV Storage team, which should probably
> > take ownership of this BZ.
> > There's not to much to go on here (I'm guessing it's something like "create
> > a snapshot with a description that contains javascript").
> > Can you provide more formal steps? Or perhaps they are in the blocked bug I
> > don't have access to - could you add me as a CC there?
> 
> Hi Allon,
> 
> The details are recorded in product bug 1540925, which awels@ owns.  It
> seems the issue is not specific to Storage but affects various fields in
> Ovirt front-end.

Thanks Doran.
I was alerted to this issue when Yaniv Kaul added me to the CC list. Looking through bug 1540925 it seems that Alexander has things under control. Alexander/Doran/Pedro - If you need anything from my side, just let me know.
Comment 5 Doran Moppert 2018-02-08 02:11:18 UTC 
Acknowledgments:

Name: Han Han (Red Hat)
Comment 6 Doran Moppert 2018-02-08 02:11:24 UTC 
External References:

https://gerrit.ovirt.org/#/c/87265