Bug 1192249 (CVE-2014-8168) - CVE-2014-8168 Satellite 6: any local user can access mongodb and delete the database
Summary: CVE-2014-8168 Satellite 6: any local user can access mongodb and delete the d...
Keywords:
Status: CLOSED DEFERRED
Alias: CVE-2014-8168
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20150218,reported=2...
Depends On: 1192251
Blocks: 1192250
TreeView+ depends on / blocked
 
Reported: 2015-02-13 00:18 UTC by Kurt Seifried
Modified: 2019-06-08 20:26 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-06 19:05:56 UTC


Attachments (Terms of Use)

Description Kurt Seifried 2015-02-13 00:18:08 UTC
Jan Hutař of Red Hat reports:

Description of problem:
mongod can be accessed by any local user and pulp_database can be deleted

Expected results:
Non-root local user should not be able to access or corrupt any Satellite's DB.

Comment 2 Kurt Seifried 2015-07-06 19:04:58 UTC
Please note that this issue can be worked around by setting firewall rules to only allow the required users (foreman and root) to talk to mongodb (ports 27017 and 28017, TCP):

iptables -A OUTPUT -o lo -p tcp -m tcp --dport 27017 -m owner --uid-owner foreman -j ACCEPT 
iptables -A OUTPUT -o lo -p tcp -m tcp --dport 27017 -m owner --uid-owner root -j ACCEPT 
iptables -A OUTPUT -o lo -p tcp -m tcp --dport 27017 -j DROP 
iptables -A OUTPUT -o lo -p tcp -m tcp --dport 28017 -m owner --uid-owner foreman -j ACCEPT 
iptables -A OUTPUT -o lo -p tcp -m tcp --dport 28017 -m owner --uid-owner root -j ACCEPT 
iptables -A OUTPUT -o lo -p tcp -m tcp --dport 28017 -j DROP

Comment 3 Kurt Seifried 2015-07-06 19:05:56 UTC
Statement:

This issue affects Red Hat Satellite 6. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Please note that a fix for this issue may also be documented in the Satellite documentation.


Note You need to log in before you can comment on or make changes to this bug.