Bug 696795 (CVE-2011-1685, CVE-2011-1686, CVE-2011-1687, CVE-2011-1688, CVE-2011-1689, CVE-2011-1690)

Summary: CVE-2011-1685 CVE-2011-1686 CVE-2011-1687 CVE-2011-1688 CVE-2011-1689 CVE-2011-1690 rt3: several security flaws fixed in 3.6.11, 3.8.10
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: perl-devel, rc040203, tremble, trs, xavier
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Vincent Danen 2011-04-14 20:33:11 UTC
Several flaws have been reported [1] and corrected in RT versions 3.6.11 and 3.8.10, including:

RT versions 3.8.0 and above with the "external custom field" feature enabled and configured are vulnerable to a remote code execution vulnerability.  An authenticated user (either privileged orunprivileged) can use this vulnerability to execute arbitrary code with the permissions of the webserver; they may also be tricked into doing so via cross-site request forgery (CSRF). (CVE-2011-1685)

RT versions 2.0.0 and above are vulnerable to multiple SQL injection attacks.  We do not believe these attacks to be capable of directly inserting, altering or removing data from the database, but an authenticated user (either privileged or unprivileged) could use them to retrieve unauthorized ticket data. (CVE-2011-1686)

RT versions 3.0.0 and higher are vulnerable to an information leak wherein an authenticated privileged user could gain sensitive information, such as encrypted passwords, via the search interface. (CVE-2011-1687)

RT versions 3.6.0 through 3.8.7, as well as 3.8.8 to a more limited degree, are vulnerable to a malicious attacker tricking the user into sending their authentication credentials to a third-party server. (CVE-2011-1690)

RT versions 3.2.0 and above are vulnerable to a directory traversal attack where an unauthenticated attacker can read any file which is readable by the webserver.  While some servers (Apache, nginx) have safeguards which mitigate this attack, preventing such traversals from accessing files outside of RT's document root, many others (including the standalone server provided with RT, plackup, starman, twiggy, and lighttpd) are vulnerable to this exploit. (CVE-2011-1688)

RT versions 2.0.0 and above are vulnerable to javascript cross-site-scripting vulnerabilities, which allow an attacker to run javascript with the user's credentials. (CVE-2011-1689)

Upstream have released a patchset [2] as well for 3.6.10 and 3.8 releases, in addition to the new releases.

[1] http://blog.bestpractical.com/2011/04/security-vulnerabilities-in-rt.html
[2] http://download.bestpractical.com/pub/rt/release/security-2011-04-14.tar.gz

Comment 1 Fedora Update System 2011-10-27 19:05:48 UTC
rt3-3.8.10-2.el6.1 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.