Bug 1092894 – CVE-2014-3642 CFME: dangerous send method in performance.rb

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1092894 - (CVE-2014-3642) CVE-2014-3642 CFME: dangerous send method in performance.rb

Summary:	CVE-2014-3642 CFME: dangerous send method in performance.rb

Status:	CLOSED ERRATA

Aliases:	CVE-2014-3642

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20141002,repor...
Keywords:	Security

Depends On:	1142455 1142456
Blocks:	1092895
	Show dependency tree / graph

Reported:	2014-04-30 04:01 EDT by Kurt Seifried
Modified:	2014-11-06 15:14 EST (History)
CC List:	14 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was found that Red Hat CloudForms contained an insecure send method that accepted user-supplied arguments. An authenticated user could use this flaw to modify the program flow in a way that could result in privilege escalation.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-10-02 16:30:42 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:1317	normal	SHIPPED_LIVE	Moderate: cfme security, bug fix, and enhancement update	2014-10-02 18:40:23 EDT

Groups: None (edit)

Description Kurt Seifried 2014-04-30 04:01:32 EDT

Jan Rusnacko of Red Hat reports:

current CFME code contains dangerous send in
cfme/vmdb/app/controllers/application_controller/performance.rb :

747: p_rpt.where_clause[2] =
@perf_record.send(@perf_options[:parent].underscore).id

This calls .send method on @perf_record, with argument @perf_options[:parent],
which is supplied by user:

29: @perf_options[:parent] = params[:compare_to].blank? ? nil :
params[:compare_to] if params.has_key?(:compare_to)

Comment 1 Martin Povolny 2014-08-19 09:53:22 EDT

this bug was fixed by dclarizio 2982783ab1a5432d9a63a645061986f82bb95514 in the old upstream repo

and it's fixed with the initial commit in the new repo

so this is fixed for 5.3 --> moving to to QA

Comment 3 Kurt Seifried 2014-09-16 22:21:14 EDT

Acknowledgement:

This issue was discovered by Jan Rusnacko of Red Hat Product Security.

Comment 4 Martin Prpič 2014-09-29 09:35:10 EDT

IssueDescription:

It was found that Red Hat CloudForms contained an insecure send method that accepted user-supplied arguments. An authenticated user could use this flaw to modify the program flow in a way that could result in privilege escalation.

Comment 5 errata-xmlrpc 2014-10-02 14:58:18 EDT

This issue has been addressed in the following products:

  CloudForms Management Engine 5.3

Via RHSA-2014:1317 https://rhn.redhat.com/errata/RHSA-2014-1317.html

Note You need to log in before you can comment on or make changes to this bug.