Bug 2065665 (CVE-2022-24302)

Summary: CVE-2022-24302 python-paramiko: Race condition in the write_private_key_file function
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agrimm, amctagga, anharris, aos-bugs, athmanem, bcoca, bkearney, bniver, chousekn, cmeyers, cstratak, davidn, eglynn, flucifre, gblomqui, gmeno, gwync, igor.raits, ivazqueznet, jcammara, jhardy, jhunsaker, jjoyce, jobarker, lhh, mabashia, mbenjamin, mburns, mhackett, michal.skrivanek, mperina, notting, orion, osapryki, paul, python-maint, rebus, relrod, rfreiman, rpetrell, sbonazzo, sdoran, sgallagh, smcdonal, sostapov, spower, tkuratom, torsava, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: paramiko v 2.10.1 Doc Type: If docs needed, set a value
Doc Text:
A race condition was found in Paramiko. This flaw allows unauthorized information disclosure from an attacker with access to the write_private_key_file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-26 21:15:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2065666, 2065667, 2066431, 2067968, 2067982, 2068130, 2068392, 2075658, 2075659, 2075660, 2122628    
Bug Blocks: 2065668    

Description Pedro Sampaio 2022-03-18 12:46:19 UTC 
In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

References:

https://www.paramiko.org/changelog.html
https://github.com/paramiko/paramiko/blob/363a28d94cada17f012c1604a3c99c71a2bda003/paramiko/pkey.py#L546
Comment 1 Pedro Sampaio 2022-03-18 12:46:46 UTC 
Created python-paramiko tracking bugs for this issue:

Affects: epel-all [bug 2065667]
Affects: fedora-all [bug 2065666]
Comment 2 juneau 2022-03-21 18:21:18 UTC 
services-assisted-installer affected/delegated:

services-assisted-installer/assisted-test-infra:7bf31f4/paramiko-2.9.2 https://github.com/openshift/assisted-test-infra/blob/master/requirements.txt
Comment 8 errata-xmlrpc 2022-05-26 17:25:06 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
  Red Hat Virtualization Engine 4.4
  Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8
  Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 9

Via RHSA-2022:4712 https://access.redhat.com/errata/RHSA-2022:4712
Comment 9 Product Security DevOps Team 2022-05-26 21:15:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24302
Comment 11 errata-xmlrpc 2022-12-07 19:25:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:8845 https://access.redhat.com/errata/RHSA-2022:8845
Comment 12 errata-xmlrpc 2022-12-07 20:26:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:8863 https://access.redhat.com/errata/RHSA-2022:8863