Bug 1693867 (CVE-2019-3891)

Summary: CVE-2019-3891 candlepin: credentials exposure through log files
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbuckingham, bcourt, bkearney, btotty, chris.snell, hhudgeon, khowell, mmccune, mrike, ohadlevy, rchan, rjerrido, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: candlepin 2.4.15, candlepin 2.5.15 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that a world-readable log file, belonging to the Candlepin component of Red Hat Satellite 6.4, leaked the credentials of the Candlepin database. A malicious user with local access to a Satellite host can use those credentials to modify the database and prevent Satellite from fetching package updates, thus preventing all Satellite hosts from accessing those updates.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:52:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1695848    
Bug Blocks: 1693869    

Description Laura Pardo 2019-03-28 20:17:32 UTC 
A vulnerability was found in the way Satellite 6 installer logs the calls to Candlepins cpdb. The /var/log/candlepin/cpdb.log log file permissions allows a non privileged user to read credentials information from the log files.


Bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=1692703
Comment 4 Richard Maciel Costa 2019-04-03 19:48:24 UTC 
Mitigation:

Remove world readable permission from /var/log/candlepin/cpdb.log, by executing the following on the console of the machine where Red Hat Satellite is installed, as root:
chmod o-r /var/log/candlepin/cpdb.log
Comment 12 Richard Maciel Costa 2019-04-12 12:56:54 UTC 
Acknowledgments:

Name: Evgeni Golov (Red Hat)
Comment 13 errata-xmlrpc 2019-05-14 12:36:15 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.5 for RHEL 7

Via RHSA-2019:1222 https://access.redhat.com/errata/RHSA-2019:1222