Bug 1976314 (CVE-2021-27021)

Summary: CVE-2021-27021 puppet: SQL injection
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: brandfbb, ekohlvan, extras-orphan, jjoyce, jschluet, lhh, lpeer, lutter, mburns, mmagr, sclewis, slinaber, terje.rosten
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Puppet DB 6.17.0, Puppet DB 7.4.1, Platform 6.23, Platform 7.7.0, Puppet Enterprise 2021.2, Puppet Enterprise 2019.8.7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in puppet. An escalation of privileges which allows the user to delete tables via an SQL query is possible in Puppet DB. The highest threat from this vulnerability is to system availability and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 18:07:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1976315, 1976316, 1976317, 1976787    
Bug Blocks: 1976318    

Description Guilherme de Almeida Suckevicz 2021-06-25 18:21:00 UTC 
A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query. This has been resolved in Puppet DB 6.17.0, 7.4.1, Platform 6.23, 7.7.0 and Puppet Enterprise 2021.2, 2019.8.7.

Reference:
https://puppet.com/security/cve/cve-2021-27021/
Comment 1 Guilherme de Almeida Suckevicz 2021-06-25 18:21:29 UTC 
Created puppet tracking bugs for this issue:

Affects: epel-all [bug 1976316]
Affects: fedora-all [bug 1976315]
Affects: openstack-rdo [bug 1976317]
Comment 2 Breno 2021-06-28 00:43:57 UTC 
We do not package puppet DB, therefore I don't think this applies to us?
We package puppet agent only at the moment.
Comment 5 Yadnyawalk Tale 2021-06-29 20:38:56 UTC 
Related patches, addressing the vulnerability:
(PDB-5138) validate-dotted-field: anchor regexp: https://github.com/puppetlabs/puppetdb/commit/c146e624d230f7410fb648d58ae28c0e3cd457a2
(PDB-5138) quote-projections: quote all projections: https://github.com/puppetlabs/puppetdb/commit/f8dc81678cf347739838e42cc1c426d96406c266
(PDB-5138) Strictly validate function AST: https://github.com/puppetlabs/puppetdb/commit/72bd137511487643a3a6236ad9e72a5dd4a6fadb

A patch to ensure PuppetDB logs if the query user’s permissions are insufficiently restricted:
(PDB-5145) Detect and log ERROR level messages if read-only user is misconfigured: https://github.com/puppetlabs/puppetdb/commit/4077d580913c45e471e12cecc9f90df62d95f38f
Comment 6 Yadnyawalk Tale 2021-06-29 20:50:30 UTC 
Satellite and RHUI does ship puppet-agent, puppetserver and puppet respectively but vulnerability is with puppetdb which we does not ship with this products atm. There is way to integrate PuppetDB with upstream Foreman but that appears to be optional configuration.
https://github.com/theforeman/puppet-puppet#puppetdb-integration
Comment 9 Breno 2021-07-08 21:46:17 UTC 
Can we close this ticket, then?