Bug 2184364 (CVE-2023-1832)

Summary: CVE-2023-1832 candlepin: Improper authorization check in the server component
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbuckingham, bcourt, ehelms, jsherril, lzap, mhulan, myarboro, nmoumoul, orabin, pcreech, rchan, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: candlepin-4.3.7-3, candlepin-4.3.8-1 Doc Type: If docs needed, set a value
Doc Text:
An improper access control flaw was found in Candlepin. An attacker can create data scoped under another customer/tenant, which can result in loss of confidentiality and availability for the affected customer/tenant.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-22 11:00:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2186216    
Bug Blocks: 2184365    

Description Pedro Sampaio 2023-04-04 12:33:03 UTC 
An improper access control flaw was found in Candlepin. This issue enables a customer/tenant to create data scoped under another customer/tenant, and can result in loss of confidentiality and availability for the affected customer/tenant.
Comment 4 Nikos Moumoulidis 2023-09-22 11:00:50 UTC 
This has been fixed in candlepin-4.3.7-3, and deployed to PROD hosted candlepin:

curl -k https://subscription.rhsm.redhat.com/candlepin/status | python -m json.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   805    0   805    0     0   1580      0 --:--:-- --:--:-- --:--:--  1581
{
    "mode": "NORMAL",
    "modeReason": null,
    "modeChangeTime": null,
    "result": true,
    "version": "4.3.7",              <--- version
    "release": "3",                  <--- release
    "standalone": false,
    "timeUTC": "2023-09-22T10:58:37+0000",
    "rulesSource": "default",
    "rulesVersion": "5.44",
    "managerCapabilities": [
        "keycloak_auth",
        "cloud_registration",
        "instance_multiplier",
        "derived_product",
        "vcpu",
        "cert_v3",
        "hypervisors_heartbeat",
        "remove_by_pool_id",
        "syspurpose",
        "storage_band",
        "device_auth",
        "cores",
        "ssl_verify_status",
        "multi_environment",
        "hypervisors_async",
        "org_level_content_access",
        "guest_limit",
        "ram",
        "batch_bind",
        "combined_reporting"
    ],
    "keycloakRealm": "redhat-external",
    "keycloakAuthUrl": "https://sso.redhat.com/auth",
    "keycloakResource": "rhsm-api",
    "deviceAuthRealm": "redhat-external",
    "deviceAuthUrl": "https://sso.redhat.com/auth",
    "deviceAuthClientId": "rhsm-api",
    "deviceAuthScope": ""
}