1640820 – (CVE-2018-16838) CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions

Bug 1640820 (CVE-2018-16838) - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions

Summary: CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive p...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-16838
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1660874 1669357 1712000
Blocks:	1640821
TreeView+	depends on / blocked

Reported:	2018-10-18 20:17 UTC by Laura Pardo
Modified:	2023-02-27 19:12 UTC (History)
CC List:	30 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-06 13:20:02 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:2177	None	None	None	2019-08-06 12:24:23 UTC
Red Hat Product Errata	RHSA-2019:2437	None	None	None	2019-08-12 11:54:16 UTC
Red Hat Product Errata	RHSA-2019:3651	None	None	None	2019-11-05 21:24:07 UTC

Description Laura Pardo 2018-10-18 20:17:18 UTC

A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access.

Comment 8 Cedric Buissart 2019-05-20 15:38:32 UTC

Upstream fix : https://pagure.io/SSSD/sssd/c/ad058011b6b75b15c674be46a3ae9b3cc5228175

Comment 10 Dhananjay Arunesh 2019-07-05 03:07:16 UTC

Reference:
https://pagure.io/SSSD/sssd/issue/3867

Comment 12 errata-xmlrpc 2019-08-06 12:24:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2177 https://access.redhat.com/errata/RHSA-2019:2177

Comment 13 Product Security DevOps Team 2019-08-06 13:20:02 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-16838

Comment 14 errata-xmlrpc 2019-08-12 11:54:13 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:2437 https://access.redhat.com/errata/RHSA-2019:2437

Comment 15 errata-xmlrpc 2019-11-05 21:24:05 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3651 https://access.redhat.com/errata/RHSA-2019:3651

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
abokovoy
bmcclain
dbaker
dblechte
dfediuck
eedri
grajaiya
jhrozek
jokerman
lpardo
lslebodn
meissner
mgoldboi
michal.skrivanek
mupadhye
mzidek
pbrezina
rdlugyhe
rharwood
sbonazzo
sbose
security-response-team
sherold
ssorce
sssd-maint
sthangav
trankin
tscherf
yturgema