Bug 1940990 (CVE-2021-3457)

Summary: CVE-2021-3457 smart_proxy_shellhooks: unauthorized users can execute actions that should be reserved for foreman
Product: [Other] Security Response Reporter: Yadnyawalk Tale <ytale>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbuckingham, bcourt, bkearney, btotty, hhudgeon, lzap, mmccune, nmoumoul, pcreech, rchan, rjerrido, security-response-team, sokeeffe
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: smart_proxy_shellhooks 0.9.2 Doc Type: ---
Doc Text:
An improper authorization handling flaw was found in Foreman. The Shellhooks plugin for the smart-proxy allows Foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker to access and delete limited resources and also causes a denial of service on the Foreman server. The highest threat from this vulnerability is to integrity and system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-30 11:35:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1940908, 1941509    

Description Yadnyawalk Tale 2021-03-19 17:30:52 UTC 
On Foreman, Shellhooks plugin for smart-proxy introduce a flaw which allows any client to perform actions of Foreman Server.
Comment 1 Yadnyawalk Tale 2021-03-19 17:30:57 UTC 
Acknowledgments:

Name: Evgeni Golov (Red Hat)
Upstream: Foreman project
Comment 5 Yadnyawalk Tale 2021-03-19 17:36:58 UTC 
Upstream patch:
https://github.com/theforeman/smart_proxy_shellhooks/commit/35dafbf9db69a54ed501cebaae748ecce5d901df
Comment 6 RaTasha Tillery-Smith 2021-03-22 17:48:03 UTC 
Statement:

Red Hat Satellite 6 does not ship the smart_proxy_shellhooks plugin, which is affected by the vulnerability. This flaw affects upstream Foreman only.
Comment 7 RaTasha Tillery-Smith 2021-03-22 17:48:04 UTC 
Mitigation:

To mitigate the flaw, disable the smart_proxy_shellhooks plugin from the Server.
Comment 8 Product Security DevOps Team 2021-03-30 11:35:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3457