Bug 800688 (CVE-2012-1145)

Summary: CVE-2012-1145 satellite: remote package upload without authorization
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Jan Hutaƙ <jhutar>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cperry, jpazdziora, mmraka, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-21 09:59:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 791231, 802834, 808187, 824038    
Bug Blocks: 800691    

Description Vincent Danen 2012-03-06 23:17:36 UTC 
It was discovered that a remote attacker was able to upload a package to a Spacewalk/Satellite NULL organization without any authorization or authentication.  A NULL organization is one to which packages synced from Red Hat Network Hosted land.  Although an attacker is not able to put packages into an arbitrary channel, he could upload several packages and fill up the /var partition with such files.  While these packages are not copied to legitimate channels and would not be downloaded by client systems, a full partition would prevent the downloading of new legitimate packages, which may include security fixes.  These packages would then be unavailable to client systems.
Comment 15 Vincent Danen 2012-03-29 18:28:35 UTC 
Statement:

This vulnerability only applies to RHN Satellite 5.4 when running on Red Hat Enterprise Linux 6 under mod_wsgi.  As the code uses mod_python when performing these checks on Red Hat Enterprise Linux 5, that version is not vulnerable to this flaw.
Comment 16 errata-xmlrpc 2012-03-29 18:34:22 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2012:0436 https://rhn.redhat.com/errata/RHSA-2012-0436.html
Comment 17 Vincent Danen 2012-03-29 18:49:40 UTC 
Created spacewalk-backend tracking bugs for this issue

Affects: fedora-all [bug 808187]
Comment 18 Jan Pazdziora 2012-03-30 14:02:24 UTC 
Fixed in Spacewalk master, bd7ad3667f2388ae9929d1dfc03c49545e17384c. Tagged as spacewalk-backend-1.8.9-1.