Bug 1968439 (CVE-2021-3584)

Summary: CVE-2021-3584 foreman: Authenticate remote code execution through Sendmail configuration
Product: [Other] Security Response Reporter: Yadnyawalk Tale <ytale>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aupadhye, bbuckingham, bcourt, bkearney, btotty, ehelms, jsherril, lzap, mhulan, mmccune, myarboro, nmoumoul, orabin, pcreech, rchan, rjerrido, security-response-team, sokeeffe
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: foreman 2.4.1, foreman 2.5.1, foreman 3.0.0 Doc Type: If docs needed, set a value
Doc Text:
A server side remote code execution vulnerability was found in Foreman project. A authenticated attacker could use Sendmail configuration options to overwrite the defaults and perform command injection. The highest threat from this vulnerability is to confidentiality, integrity and availability of system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-05 19:25:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1968443    
Bug Blocks: 1968362, 1968688    

Description Yadnyawalk Tale 2021-06-07 12:19:35 UTC 
Foreman upstream is affected by the remote code execution flaw which allows authenticated attacker to perform remote code execution attack. In this type of vulnerability an attacker is able to run command of their choosing with system level privileges on a server that possesses the appropriate weakness but this is only possible when attacker have gain some high-level privileges on the Foreman.
Comment 4 Yadnyawalk Tale 2021-06-17 07:48:19 UTC 
Upstream patch:

https://projects.theforeman.org/issues/32753
https://github.com/theforeman/foreman/pull/8599
Comment 5 errata-xmlrpc 2022-07-05 14:26:33 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.11 for RHEL 7
  Red Hat Satellite 6.11 for RHEL 8

Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498
Comment 6 Product Security DevOps Team 2022-07-05 19:25:21 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3584