Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1399333

Summary: Cobbler upstream suffers from an invalid parameter allows file reading
Product: Red Hat Satellite 5 Reporter: Fotios Tsiadimos <ftsiadim>
Component: ProvisioningAssignee: Jan Dobes <jdobes>
Status: CLOSED WONTFIX QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 570CC: kseifried, ktordeur, tlestach
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-29 14:18:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Fotios Tsiadimos 2016-11-28 18:56:59 UTC 
Description of problem:

Cobbler software component, suffers from an invalid parameter validation vulnerability, leading the arbitrary file reading. Navigate to the following URL, on a default installation of cobbler and cobbler-web (version 2.6.11-1):
http://localhost/cblr/svc/profile/<valid_profile>/op/script?scriptx=script/script/script/script/script/script/script/script/&script=../../../../../etc/passwd


We assume that the exploit does not work because we are not affected. We assume that this is due to a way older version of cobbler being used in Satellite (cobbler-2.0.7-66.el6sat.noarch) vs. Github (2.8.0). We assume that the exploit targets the "scripts" endpoint. In cobbler/services.py we do find a handler for this endpoint in cobbler-2.8 (https://github.com/cobbler/cobbler/blob/master/cobbler/services.py#L94), but we do not see such a handler in our Satellite-based setup. It seems that this feature (and therefore probably also this bug) has been introduced in cobbler-2.6 (https://github.com/cobbler/cobbler/commit/955568d075abea57ec9d3cff01eb80a6eb37482f).


Satellite 5.7 cobbler-2.0.7-66.el6sat.noarch

Cobbler upstream Github (2.8.0)


Please verify if this vulnerability effect the Satellite 5?
Comment 3 Kenny Tordeurs 2017-03-29 12:25:33 UTC 
Statement:

Red Hat Satellite 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security
 impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/satellite
Comment 5 Kenny Tordeurs 2017-03-29 14:18:26 UTC 
Satellite marked as not affected per [0]

[0] https://access.redhat.com/security/cve/CVE-2016-9605