Red Hat Bugzilla – Bug 1192249
CVE-2014-8168 Satellite 6: any local user can access mongodb and delete the database
Last modified: 2015-07-07 03:58:23 EDT
Jan Hutař of Red Hat reports: Description of problem: mongod can be accessed by any local user and pulp_database can be deleted Expected results: Non-root local user should not be able to access or corrupt any Satellite's DB.
Please note that this issue can be worked around by setting firewall rules to only allow the required users (foreman and root) to talk to mongodb (ports 27017 and 28017, TCP): iptables -A OUTPUT -o lo -p tcp -m tcp --dport 27017 -m owner --uid-owner foreman -j ACCEPT iptables -A OUTPUT -o lo -p tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT iptables -A OUTPUT -o lo -p tcp -m tcp --dport 27017 -j DROP iptables -A OUTPUT -o lo -p tcp -m tcp --dport 28017 -m owner --uid-owner foreman -j ACCEPT iptables -A OUTPUT -o lo -p tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT iptables -A OUTPUT -o lo -p tcp -m tcp --dport 28017 -j DROP
Statement: This issue affects Red Hat Satellite 6. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Please note that a fix for this issue may also be documented in the Satellite documentation.