Red Hat Bugzilla – Bug 1322706
CVE-2016-3095 pulp: Potential leakage when generating new CA key in /tmp
Last modified: 2016-04-06 16:58:38 EDT
It was found that newly generated CA keys by running pulp-gen-ca-certificate (which is run by spec file when pulp is installed) script are insufficiently protected against reading by other users for the time the script runs. Vulnerable code: https://github.com/pulp/pulp/blob/2.8.0/server/bin/pulp-gen-ca-certificate
Acknowledgments: Name: Randy Barlow (Red Hat)
This upstream pull request fixes this issue and also raises the size of the default CA key: https://github.com/pulp/pulp/pull/2503
Satellite 6's use of Pulp does not utilize certificate based authentication to Pulp's API, we only authenticate via OAuth so it appears that our product is not vulnerable to this CVE.
IRC conversation with Randy for a bit more details: <bowlofeggs> do you know if katello/satellite uses pulp's internal cacert or not? https://bugzilla.redhat.com/show_bug.cgi?id=1322706 is about how there is a low impact vulnerability during the generation of those certs <bowlofeggs> the way you could tell is if the cacert setting in pulp's server.conf is commented or not <bowlofeggs> or, if you replace the file with katello installer <mmccune> checking <mmccune> # consumer_cert_expiration: number of days a consumer certificate is valid <mmccune> cacert: /etc/pki/pulp/ca.crt <bowlofeggs> this would be in the [security] section <mmccune> that? <bowlofeggs> yeah <mmccune> let me see if we generate that <bowlofeggs> so it's uncommented, but it's also set to the default <mmccune> yup <bowlofeggs> pulp has a little utility called pulp-gen-ca-cert (or somethinglike that) that our spec file runs during install <bowlofeggs> you do generate that file yourself? <bowlofeggs> do you use our utility? <bowlofeggs> or do you do it all on your own? <mmccune> checking * bowlofeggs crosses fingers <mmccune> what uses that CA cert? <bowlofeggs> this CA cert is used by two things - when a pulp login call happens, that CA generates a client cert/key that is handed back on the response <bowlofeggs> secondly, that CA is used by httpd to authenticate any calls that use certificate auth <mmccune> we only use oauth to talk to pulp <mmccune> yeah, we dont generate or touch that file <bowlofeggs> oh interesting <mmccune> so it is relying on whatever you do in %post <bowlofeggs> if you only use oauth and never use certificates, then you are not vulnerable <mmccune> nothing uses cert auth in sat6 to talk to pulp <bowlofeggs> cool <bowlofeggs> do you want to make that comment on the bug, or do you want me to? <mmccune> i got it <bowlofeggs> excellent. thanks mike! <bowlofeggs> it's def a low severity bug anyway, but i wanted to inform product security on whether the product needed a fix or not <bowlofeggs> we can just fix it upstream <bowlofeggs> feel free to paste this convo in the bug if you want <mmccune> yeah, we can just get it for free in 6.2 if it lands in 2.8.X <bowlofeggs> yeah i think it'll be in 2.8.2
RHUI 2.x is also notaffected as it uses an older version that doesn't ship this.
RHUI 3 will have pulp 2.8.2 or later.
Statement: This issue did not affect the versions of pulp as shipped with Red Hat Satellite 6.x and Red Hat Update Infrastructure 2.x as they did not include support for pulp-gen-ca-certificate.
http://www.openwall.com/lists/oss-security/2016/04/06/3