Bug 1702604 (CVE-2019-10137)
Summary: | CVE-2019-10137 spacewalk-proxy: Path traversal in proxy authentication cache | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | bkearney, cbuissar, mmraka, rdrazny, security-response-team, tlestach | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: |
A path traversal flaw was found in the way the proxy processes cached client tokens. A remote, unauthenticated attacker could use this flaw to test the existence of arbitrary files, if they have access to the proxy's filesystem, or can execute arbitrary code in the context of the httpd process.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-07-12 13:07:05 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1710280 | ||||||
Bug Blocks: | 1702605 | ||||||
Attachments: |
|
Description
Marian Rehak
2019-04-24 08:49:52 UTC
Acknowledgments: Name: Malte Kraus (SUSE) Discovered in private SUSE fork based on version spacewalk 2.8, but upstream master looks to be equally affected. The attack does not require authentication. * The attack can be used to force the Proxy into reading files outside of the dedicated token directory. However, unless the said file is specially crafted, this will result in an error and the file content will not be revealed to the attacker. * Considering the parent Satellite trusted, the attack can not be used to force writing data outside of the token directory, nor writing arbitrary data * The attack can be used to test the existence of files in the proxy's filesystem (the error differs whether the token file exists or not) * If the attacker has the ability to write arbitrary data on an arbitrary location, the flaw could be used to execute code on the proxy server, in the context of the proxy service, during the unserialization of the token file. Mitigation: SELinux in enforcing mode will prevent the proxy to access files that have an incompatible SELinux context This issue has been addressed in the following products: Red Hat Satellite Proxy v 5.8 Via RHSA-2019:1663 https://access.redhat.com/errata/RHSA-2019:1663 Created attachment 1586994 [details]
make sure file is created inside CACHEDIR
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10137 |