Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1500517 - (CVE-2017-12191) CVE-2017-12191 CFME: VMRC plugin console grants users administrative access
CVE-2017-12191 CFME: VMRC plugin console grants users administrative access
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20180227,repo...
: Security
Depends On: 1479840 1500518 1507165 1536537
Blocks: 1486789
  Show dependency treegraph
 
Reported: 2017-10-10 15:54 EDT by Kurt Seifried
Modified: 2018-02-28 08:04 EST (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the CloudForms account configuration when using VMware. By default, a shared account is used that has privileged access to VMRC (VMWare Remote Console) functions that may not be appropriate for users of CloudForms (and thus this account). An attacker could use this vulnerability to view and make changes to settings in the VMRC and virtual machines controlled by it that they should not have access to.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0374 normal SHIPPED_LIVE Important: Red Hat CloudForms security, bug fix, and enhancement update 2018-02-28 13:04:37 EST

  None (edit)
Description Kurt Seifried 2017-10-10 15:54:58 EDT
Gellert Kis of Red Hat reports:

The CloudForms VMRC plugin console grants users administrative access due to incorrect session privileges.
Comment 3 Kurt Seifried 2018-01-12 15:47:14 EST
Acknowledgments:

Name: Gellert Kis (Red Hat)
Comment 6 errata-xmlrpc 2018-02-28 08:04:08 EST
This issue has been addressed in the following products:

  CloudForms Management Engine 5.8

Via RHSA-2018:0374 https://access.redhat.com/errata/RHSA-2018:0374

Note You need to log in before you can comment on or make changes to this bug.