Bug 1684275 (CVE-2019-3845)

Summary: CVE-2019-3845 katello-installer-base: QMF methods exposed to goferd via qdrouterd
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agawand, bbuckingham, bcourt, bkearney, btotty, cbuissar, cwelton, egolov, ehelms, hhudgeon, hsiaoping.whs, jortel, jsherril, lzap, mhulan, mmccune, myarboro, nmoumoul, orabin, pcreech, pmoravec, rchan, rcosta, rjerrido, security-response-team, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A lack of access control was found in the message queues maintained by Satellite's QPID broker and used by katello-agent. A malicious user authenticated to a host registered to Satellite (or Capsule) can use this flaw to access QMF methods to any host also registered to Satellite (or Capsule) and execute privileged commands.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:49:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1685586, 1685587, 1685588, 1686547    
Bug Blocks: 1684277    

Description Laura Pardo 2019-02-28 21:09:22 UTC
A vulnerability was found in qpid-dispatch-router. Any logged user can access QMF methods on Satellite's qpid broker which allows him to (un)install any available package on any system (managed by the Satellite) that runs katello agent / goferd.

Comment 2 Laura Pardo 2019-02-28 22:14:44 UTC
Acknowledgments:

Name: Pavel Moravec (Red Hat)

Comment 7 Richard Maciel Costa 2019-03-19 17:31:53 UTC
Mitigation:

On Satellite Server follow the instructions below:

* Modify /etc/qpid/qpidd.conf to add this line:

acl-file=qpid_acls.acl


* Create a new file: /var/lib/qpidd/.qpidd/qpid_acls.acl with content:

acl allow katello_agent@QPID create queue
acl allow katello_agent@QPID consume queue
acl allow katello_agent@QPID access exchange
acl allow katello_agent@QPID access queue
acl allow katello_agent@QPID publish exchange routingkey=pulp.task
acl allow katello_agent@QPID publish exchange name=qmf.default.direct
acl allow katello_agent@QPID access method name=create

acl deny-log katello_agent@QPID access method name=*
acl deny-log katello_agent@QPID all all

# allow anything else
acl allow all all


* As root, execute the command:
# systemctl restart qpidd


* In /etc/qpid-dispatch/qdrouterd.conf modify the connector:

connector {
	name: broker
	host: localhost
	port: 5671
	sasl-mechanisms: PLAIN
	sasl-username: katello_agent
	sasl-password: katello_agent
	role: route-container
	ssl-profile: client
	idle-timeout-seconds: 0
}


* As root, execute the command:
# systemctl restart qdrouterd


These ACLs will prevent clients to redirect or move messages to various queues which is the nature of the CVE.
All other behavior will be unchanged (acl allow all all) which is the current baseline.

Comment 10 errata-xmlrpc 2019-04-09 17:23:03 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.3 for RHEL 7

Via RHSA-2019:0733 https://access.redhat.com/errata/RHSA-2019:0733

Comment 11 errata-xmlrpc 2019-04-09 17:23:20 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2019:0735 https://access.redhat.com/errata/RHSA-2019:0735

Comment 12 errata-xmlrpc 2019-04-09 17:26:34 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.2 for RHEL 6
  Red Hat Satellite 6.2 for RHEL 7

Via RHSA-2019:0734 https://access.redhat.com/errata/RHSA-2019:0734

Comment 15 errata-xmlrpc 2019-05-14 13:03:06 UTC
This issue has been addressed in the following products:

  Satellite Tools 6.5 for RHEL 7
  Satellite Tools 6.5 for RHEL 7.4.EUS
  Satellite Tools 6.5 for RHEL 7.5.EUS
  Satellite Tools 6.5 for RHEL 7.6.EUS
  Satellite Tools 6.5 for RHEL 7.3.AUS
  Satellite Tools 6.5 for RHEL 7.4.AUS
  Satellite Tools 6.5 for RHEL 7.2.E4S
  Satellite Tools 6.5 for RHEL 7.3.E4S
  Satellite Tools 6.5 for RHEL 7.4.E4S
  Satellite Tools 6.5 for RHEL 7.2.TUS
  Satellite Tools 6.5 for RHEL 7.3.TUS
  Satellite Tools 6.5 for RHEL 7.4.TUS
  Satellite Tools 6.5 for RHEL 7.6.E4S
  Satellite Tools 6.5 for RHEL 7.6.AUS
  Satellite Tools 6.5 for RHEL 7.6.TUS
  Satellite Tools 6.5 for RHEL 5.9.AUS
  Satellite Tools 6.5 for RHEL 5.ELS
  Satellite Tools 6.5 for RHEL 6.4.AUS
  Satellite Tools 6.5 for RHEL 6.5.AUS
  Satellite Tools 6.5 for RHEL 6.6.AUS
  Satellite Tools 6.5 for RHEL 7.2.AUS
  Satellite Tools 6.5 for RHEL 6
  Satellite Tools 6.5 for RHEL 8

Via RHSA-2019:1223 https://access.redhat.com/errata/RHSA-2019:1223

Comment 17 Cedric Buissart 2019-07-31 14:45:41 UTC
Statement:

On Red Hat Satellite 6.5, the Satellite 6.5 GA release includes a version of katello-installer-base that provides the fixes for this issue.

Comment 23 Yadnyawalk Tale 2022-02-22 15:01:40 UTC
It is super confusing looking at where issue was and where it got fixed. I see some indirect fixes are in puppet-foreman_proxy_content, puppet-katello and puppet-qpid too. However, from errata I can confirm issue got fixed in katello-installer-base-3.10.0.6-1 through RHSA-2019:0735.

To answer comment#18, whatever Cedric and Pavel said is correct, this vulnerability does not have to do anything with beautifulsoup4. I think container images were getting flagged because of incorrect CVE mapping with RPM. I've corrected this CVE mapping from advisory so it is now mapping to correct RPM (katello-installer-base). I expect once CVE page gets updated, container image should not flag it incorrectly.