Bug 1897618 (CVE-2020-25711)

Summary: CVE-2020-25711 infinispan: authorization check missing for server management operations
Product: [Other] Security Response Reporter: Paramvir jindal <pjindal>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, aileenc, asoldano, atangrin, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, drieden, eleandro, ggaughan, gmalinko, gvarsami, iweiss, janstey, jawilson, jcoleman, jochrist, jolee, jperkins, jschatte, jstastny, jwon, kconner, krathod, kwills, ldimaggi, lgao, msochure, msvehla, nwallace, pjindal, pmackay, rguimara, rstancel, rsvoboda, rwagner, smaestri, tcunning, tkirby, tom.jenkinson, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Infinispan 11.0.6 Final Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role. The highest threat from this vulnerability is to integrity and system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-08 14:41:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1897606    

Description Paramvir jindal 2020-11-13 16:20:39 UTC 
Some server management operations don't check authorization permissions so, when authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role. 

The following ops are affected: 
* server stop 
* cluster stop 
* server report 
* cache ignore list manipulation 

This vulnerability affects the org.infinispan:infinispan-server-runtime artifact for all versions up to 11.0.5.Final.

https://issues.redhat.com/browse/JDG-4194
Comment 5 Paramvir jindal 2020-11-25 13:54:03 UTC 
Acknowledgments:

Name: Tristan Tarrant (Red Hat)
Comment 6 Chess Hazlett 2021-02-03 19:11:45 UTC 
Mitigation:

There is currently no known mitigation for this issue.
Comment 7 errata-xmlrpc 2021-02-08 12:55:01 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 8.1.1

Via RHSA-2021:0433 https://access.redhat.com/errata/RHSA-2021:0433
Comment 8 Product Security DevOps Team 2021-02-08 14:41:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25711