Bug 1684275 (CVE-2019-3845)
Summary: | CVE-2019-3845 katello-installer-base: QMF methods exposed to goferd via qdrouterd | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | agawand, bbuckingham, bcourt, bkearney, btotty, cbuissar, cwelton, egolov, ehelms, hhudgeon, hsiaoping.whs, jortel, jsherril, lzap, mhulan, mmccune, myarboro, nmoumoul, orabin, pcreech, pmoravec, rchan, rcosta, rjerrido, security-response-team, ytale |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A lack of access control was found in the message queues maintained by Satellite's QPID broker and used by katello-agent. A malicious user authenticated to a host registered to Satellite (or Capsule) can use this flaw to access QMF methods to any host also registered to Satellite (or Capsule) and execute privileged commands.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:49:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1685586, 1685587, 1685588, 1686547 | ||
Bug Blocks: | 1684277 |
Description
Laura Pardo
2019-02-28 21:09:22 UTC
Acknowledgments: Name: Pavel Moravec (Red Hat) Mitigation: On Satellite Server follow the instructions below: * Modify /etc/qpid/qpidd.conf to add this line: acl-file=qpid_acls.acl * Create a new file: /var/lib/qpidd/.qpidd/qpid_acls.acl with content: acl allow katello_agent@QPID create queue acl allow katello_agent@QPID consume queue acl allow katello_agent@QPID access exchange acl allow katello_agent@QPID access queue acl allow katello_agent@QPID publish exchange routingkey=pulp.task acl allow katello_agent@QPID publish exchange name=qmf.default.direct acl allow katello_agent@QPID access method name=create acl deny-log katello_agent@QPID access method name=* acl deny-log katello_agent@QPID all all # allow anything else acl allow all all * As root, execute the command: # systemctl restart qpidd * In /etc/qpid-dispatch/qdrouterd.conf modify the connector: connector { name: broker host: localhost port: 5671 sasl-mechanisms: PLAIN sasl-username: katello_agent sasl-password: katello_agent role: route-container ssl-profile: client idle-timeout-seconds: 0 } * As root, execute the command: # systemctl restart qdrouterd These ACLs will prevent clients to redirect or move messages to various queues which is the nature of the CVE. All other behavior will be unchanged (acl allow all all) which is the current baseline. This issue has been addressed in the following products: Red Hat Satellite 6.3 for RHEL 7 Via RHSA-2019:0733 https://access.redhat.com/errata/RHSA-2019:0733 This issue has been addressed in the following products: Red Hat Satellite 6.4 for RHEL 7 Via RHSA-2019:0735 https://access.redhat.com/errata/RHSA-2019:0735 This issue has been addressed in the following products: Red Hat Satellite 6.2 for RHEL 6 Red Hat Satellite 6.2 for RHEL 7 Via RHSA-2019:0734 https://access.redhat.com/errata/RHSA-2019:0734 This issue has been addressed in the following products: Satellite Tools 6.5 for RHEL 7 Satellite Tools 6.5 for RHEL 7.4.EUS Satellite Tools 6.5 for RHEL 7.5.EUS Satellite Tools 6.5 for RHEL 7.6.EUS Satellite Tools 6.5 for RHEL 7.3.AUS Satellite Tools 6.5 for RHEL 7.4.AUS Satellite Tools 6.5 for RHEL 7.2.E4S Satellite Tools 6.5 for RHEL 7.3.E4S Satellite Tools 6.5 for RHEL 7.4.E4S Satellite Tools 6.5 for RHEL 7.2.TUS Satellite Tools 6.5 for RHEL 7.3.TUS Satellite Tools 6.5 for RHEL 7.4.TUS Satellite Tools 6.5 for RHEL 7.6.E4S Satellite Tools 6.5 for RHEL 7.6.AUS Satellite Tools 6.5 for RHEL 7.6.TUS Satellite Tools 6.5 for RHEL 5.9.AUS Satellite Tools 6.5 for RHEL 5.ELS Satellite Tools 6.5 for RHEL 6.4.AUS Satellite Tools 6.5 for RHEL 6.5.AUS Satellite Tools 6.5 for RHEL 6.6.AUS Satellite Tools 6.5 for RHEL 7.2.AUS Satellite Tools 6.5 for RHEL 6 Satellite Tools 6.5 for RHEL 8 Via RHSA-2019:1223 https://access.redhat.com/errata/RHSA-2019:1223 Statement: On Red Hat Satellite 6.5, the Satellite 6.5 GA release includes a version of katello-installer-base that provides the fixes for this issue. It is super confusing looking at where issue was and where it got fixed. I see some indirect fixes are in puppet-foreman_proxy_content, puppet-katello and puppet-qpid too. However, from errata I can confirm issue got fixed in katello-installer-base-3.10.0.6-1 through RHSA-2019:0735. To answer comment#18, whatever Cedric and Pavel said is correct, this vulnerability does not have to do anything with beautifulsoup4. I think container images were getting flagged because of incorrect CVE mapping with RPM. I've corrected this CVE mapping from advisory so it is now mapping to correct RPM (katello-installer-base). I expect once CVE page gets updated, container image should not flag it incorrectly. |