Bug 1560035 – CVE-2018-1090 pulp: sensitive credentials revealed through the API

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1560035 - (CVE-2018-1090) CVE-2018-1090 pulp: sensitive credentials revealed through the API

Summary:	CVE-2018-1090 pulp: sensitive credentials revealed through the API

Status:	POST

Aliases:	CVE-2018-1090

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180323,repor...
Keywords:	Security

Depends On:	1560080 1564123
Blocks:	1560037
	Show dependency tree / graph

Reported:	2018-03-23 14:48 EDT by Laura Pardo
Modified:	2018-10-16 11:21 EDT (History)
CC List:	22 users (show)

See Also:
Fixed In Version:	pulp 2.16.2
Doc Type:	If docs needed, set a value
Doc Text:	In pulp, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Pulp Redmine	3521	Normal	CLOSED - CURRENTRELEASE	last_override_config exposes sensitive info	2018-09-12 13:02 EDT
Red Hat Product Errata	RHSA-2018:2927	None	None	None	2018-10-16 11:21 EDT

Groups: None (edit)

Description Laura Pardo 2018-03-23 14:48:29 EDT

A flaw was found in Pulp. Importers and distributors have a "last_override_config" object which is exposed via the API. In several cases, secrets are passed into override_config when triggering a task. If these config items are given, they're stored in last_override_config and then become readable to all users with read access on the distributor/importer. Since Pulp installations internally have widely shared read-only accounts which allows everyone to freely data mine / build applications on top of our Pulp without administrative hassle, saved credentials might be accidentally revealed through the API to unwanted users.

Comment 1 Kurt Seifried 2018-03-23 16:44:19 EDT

Created pulp tracking bugs for this issue:

Affects: fedora-all [bug 1560080]

Comment 3 Kurt Seifried 2018-03-23 16:53:23 EDT

External References:

https://pulp.plan.io/issues/3521

Comment 4 pulp-infra@redhat.com 2018-03-23 17:08:18 EDT

The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.

Comment 5 pulp-infra@redhat.com 2018-03-23 17:08:28 EDT

The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.

Comment 9 Andrej Nemec 2018-05-14 11:25:31 EDT

Statement:

This issue affects the versions of pulp as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having security impact of (Low|Moderate). A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue affects the versions of pulp as shipped with Red Hat Subscription Asset Manager. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 10 pulp-infra@redhat.com 2018-06-01 14:33:06 EDT

The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.

Comment 11 pulp-infra@redhat.com 2018-06-01 17:12:03 EDT

The Pulp upstream bug status is at POST. Updating the external tracker on this bug.

Comment 12 pulp-infra@redhat.com 2018-06-04 11:36:49 EDT

The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.

Comment 13 pulp-infra@redhat.com 2018-06-04 12:02:47 EDT

All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.

Comment 14 Bryan Kearney 2018-06-05 09:36:30 EDT

Comment 15 Bryan Kearney 2018-06-05 09:37:01 EDT

This is fiexed in pulp-2.16.2

Comment 16 pulp-infra@redhat.com 2018-09-12 13:02:33 EDT

The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.

Comment 17 errata-xmlrpc 2018-10-16 11:21:31 EDT

This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927

Note You need to log in before you can comment on or make changes to this bug.

austin
bbouters
bcourt
bizhang
bkearney
cbillett
daviddavis
dkliban
ipanova
jmatthew
jortel
mhrivnak
mmccune
mrike
ohadlevy
pcreech
rchan
security-response-team
tjay
tomckay
tsanders
ttereshc