Bug 1206332 – CVE-2015-1841 RHEV-M: webadmin automatic logout fails if VM is selected

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1206332 - (CVE-2015-1841) CVE-2015-1841 RHEV-M: webadmin automatic logout fails if VM is selected

Summary:	CVE-2015-1841 RHEV-M: webadmin automatic logout fails if VM is selected

Status:	MODIFIED

Aliases:	CVE-2015-1841

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20150326,reported=2...
Keywords:	Security

Depends On:	1206338 1206385
Blocks:	1206344 1206715
	Show dependency tree / graph

Reported:	2015-03-26 15:49 EDT by Kurt Seifried
Modified:	2018-07-18 10:37 EDT (History)
CC List:	12 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was found that the idle timeout in the Red Hat Enterprise Virtualization Manager Web Admin interface failed to log out a session if a VM has been selected in the VM grid view. This could allow a local attacker to access the web interface if it was left unattended.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	39420	ovirt-engine-3.5.2	MERGED	webadmin: no auto logout when idle	Never
oVirt gerrit	39446	ovirt-engine-3.5	MERGED	webadmin: no auto logout when idle	Never
oVirt gerrit	39454	ovirt-engine-3.5.2	MERGED	webadmin: Revert cad6926bf551c86effcc539a8c45d2de0e4029f1	Never
oVirt gerrit	41360	ovirt-engine-3.5	MERGED	webadmin: fix refresh status.	Never
Red Hat Product Errata	RHSA-2015:1713	normal	SHIPPED_LIVE	Important: rhev-hypervisor security, bug fix, and enhancement update	2015-09-03 17:08:30 EDT

Groups: None (edit)

Description Kurt Seifried 2015-03-26 15:49:38 EDT

Einav Cohen of Red Hat reports:

When browsing to the web-admin, selecting the VMs main tab, selecting a VM in
the VMs grid and leaving the web-admin idle, the web-admin doesn't log out.

Comment 3 Ján Rusnačko 2015-09-03 09:52:17 EDT

Acknowledgement:

This issue was discovered by Einav Cohen or Red Hat.

Comment 4 errata-xmlrpc 2015-09-03 13:09:14 EDT

This issue has been addressed in the following products:

  RHEV-H and Agents for RHEL-6
  RHEV-H and Agents for RHEL-7

Via RHSA-2015:1713 https://rhn.redhat.com/errata/RHSA-2015-1713.html

Note You need to log in before you can comment on or make changes to this bug.