Bug 718824 (CVE-2011-2528)

Summary: CVE-2011-2528 plone: privilege escalation vulnerability
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bressers, cfeist, cluster-maint, edamato, fdinitto, jonathansteffan, kanderso, rmccabe
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-24 16:01:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 711497, 718829    
Bug Blocks: 718827    

Description Vincent Danen 2011-07-04 21:42:27 UTC 
It was reported [1] that Plone suffers from a vulnerability that can be exploited to bypass certain security restrictions.  This is due to a vulnerable bundled version of Zope.

Plone 3.x users that backported the fix for CVE-2011-0720 (PloneHotfix20110720) are affected due to the vulnerability being inadvertently backported via the hotfix.

A new hotfix (20110622) is available [2] to correct the flaw.

[1] http://plone.org/products/plone/security/advisories/20110622
[2] http://plone.org/products/plone-hotfix/releases/20110622
Comment 2 Vincent Danen 2011-07-04 21:52:41 UTC 
Created luci tracking bugs for this issue

Affects: fedora-all [bug 718829]
Comment 3 Vincent Danen 2011-07-04 21:52:43 UTC 
Created plone tracking bugs for this issue

Affects: epel-5 [bug 711497]
Comment 4 Vincent Danen 2011-07-04 22:05:42 UTC 
Also note the affects on Zope 2.12/2.13 (fixed upstream in 2.12.19 and 2.13.8):

https://mail.zope.org/pipermail/zope-announce/2011-June/002260.html

I do not believe we ship Zope at all in any products, other than some python-zope-* modules.
Comment 5 Fabio Massimo Di Nitto 2011-07-05 05:03:25 UTC 
(In reply to comment #2)
> Created luci tracking bugs for this issue
> 
> Affects: fedora-all [bug 718829]

luci does not use plone anylonger (or zope).
Comment 6 Ryan McCabe 2011-07-05 15:05:32 UTC 
Per the plone site:

"Other versions are not affected. Plone 2.5 and Zope 2.8/2.9 are unaffected; you should not install this hotifx on those sites."

So we are unaffected because we're using Plone-2.5.5 and Zope-2.9.8
Comment 7 Vincent Danen 2011-07-05 23:25:16 UTC 
(In reply to comment #6)
> Per the plone site:
> 
> "Other versions are not affected. Plone 2.5 and Zope 2.8/2.9 are unaffected;
> you should not install this hotifx on those sites."
> 
> So we are unaffected because we're using Plone-2.5.5 and Zope-2.9.8

For which packages/platforms is the above referring to?
Comment 8 Ryan McCabe 2011-07-06 15:48:51 UTC 
(In reply to comment #7)
> (In reply to comment #6)
> > Per the plone site:
> > 
> > "Other versions are not affected. Plone 2.5 and Zope 2.8/2.9 are unaffected;
> > you should not install this hotifx on those sites."
> > 
> > So we are unaffected because we're using Plone-2.5.5 and Zope-2.9.8
> 
> For which packages/platforms is the above referring to?
Sorry -- this pertains to conga on RHEL4 and RHEL5.
Comment 9 Vincent Danen 2011-07-06 17:03:06 UTC 
(In reply to comment #8) 
> > For which packages/platforms is the above referring to?
> Sorry -- this pertains to conga on RHEL4 and RHEL5.

Fantastic, thank you Ryan.  I'm assuming that when you refer to RHEL4 you're talking about the cluster product, correct?  (conga 0.11.2-4.el4).

If that is the case, then only Plone in EPEL5 is affected by this.

However, if that is indeed the case, then I'm wondering why we did an update for CVE-2011-0720 for RHEL4 and RHEL5, which seem to contain the patch that introduced this flaw.  That would imply to me that we are indeed affected:

https://www.redhat.com/security/data/cve/CVE-2011-0720.html

Judging by that alone, we should be affected, shouldn't we?
Comment 10 Ryan McCabe 2011-07-06 17:37:31 UTC 
(In reply to comment #9)
> Fantastic, thank you Ryan.  I'm assuming that when you refer to RHEL4 you're
> talking about the cluster product, correct?  (conga 0.11.2-4.el4).
> 
> If that is the case, then only Plone in EPEL5 is affected by this.
> 
> However, if that is indeed the case, then I'm wondering why we did an update
> for CVE-2011-0720 for RHEL4 and RHEL5, which seem to contain the patch that
> introduced this flaw.  That would imply to me that we are indeed affected:
> 
> https://www.redhat.com/security/data/cve/CVE-2011-0720.html
> 
> Judging by that alone, we should be affected, shouldn't we?
CVE-2011-0720 specified that Plone 2.5 was affected, which is why we applied the patch there.

http://plone.org/products/plone/security/advisories/20110622 mentions that the vulnerability in Plone3 was introduced by the previous hotfix, but it doesn't say anything similar about any other versions of Plone. I guess the previous hotfix interacted with only Plone3 in a way so as to introduce the new problem.

At the bottom of the FAQ page, they write:

"Q: I see "ImportError: No module named traversing" on startup after installing the hotfix.

You have installed the hotfix onto a Plone 2.5 or Zope 2.8/2.9 site. The Hotfix is not required; you should remove it."
Comment 11 Vincent Danen 2011-07-06 17:59:41 UTC 
Yes, the advisory indicates:

"Other versions are not affected. Plone 2.5 and Zope 2.8/2.9 are unaffected; you should not install this hotifx on those sites."

Great, thanks for the clarification Ryan.  I'll note that RHEL is unaffected by this.
Comment 12 Vincent Danen 2011-07-15 16:54:42 UTC 
This has been assigned the name CVE-2011-2528:

http://seclists.org/oss-sec/2011/q3/75