Bug 1684275 (CVE-2019-3845) - CVE-2019-3845 katello-installer-base: QMF methods exposed to goferd via qdrouterd
Summary: CVE-2019-3845 katello-installer-base: QMF methods exposed to goferd via qdrou...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-3845
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1685586 1685587 1685588 1686547
Blocks: 1684277
TreeView+ depends on / blocked
 
Reported: 2019-02-28 21:09 UTC by Laura Pardo
Modified: 2022-02-22 15:01 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A lack of access control was found in the message queues maintained by Satellite's QPID broker and used by katello-agent. A malicious user authenticated to a host registered to Satellite (or Capsule) can use this flaw to access QMF methods to any host also registered to Satellite (or Capsule) and execute privileged commands.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:49:34 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0733 0 None None None 2019-04-09 17:23:04 UTC
Red Hat Product Errata RHSA-2019:0734 0 None None None 2019-04-09 17:26:35 UTC
Red Hat Product Errata RHSA-2019:0735 0 None None None 2019-04-09 17:23:21 UTC
Red Hat Product Errata RHSA-2019:1223 0 None None None 2019-05-14 13:03:08 UTC

Description Laura Pardo 2019-02-28 21:09:22 UTC
A vulnerability was found in qpid-dispatch-router. Any logged user can access QMF methods on Satellite's qpid broker which allows him to (un)install any available package on any system (managed by the Satellite) that runs katello agent / goferd.

Comment 2 Laura Pardo 2019-02-28 22:14:44 UTC
Acknowledgments:

Name: Pavel Moravec (Red Hat)

Comment 7 Richard Maciel Costa 2019-03-19 17:31:53 UTC
Mitigation:

On Satellite Server follow the instructions below:

* Modify /etc/qpid/qpidd.conf to add this line:

acl-file=qpid_acls.acl


* Create a new file: /var/lib/qpidd/.qpidd/qpid_acls.acl with content:

acl allow katello_agent@QPID create queue
acl allow katello_agent@QPID consume queue
acl allow katello_agent@QPID access exchange
acl allow katello_agent@QPID access queue
acl allow katello_agent@QPID publish exchange routingkey=pulp.task
acl allow katello_agent@QPID publish exchange name=qmf.default.direct
acl allow katello_agent@QPID access method name=create

acl deny-log katello_agent@QPID access method name=*
acl deny-log katello_agent@QPID all all

# allow anything else
acl allow all all


* As root, execute the command:
# systemctl restart qpidd


* In /etc/qpid-dispatch/qdrouterd.conf modify the connector:

connector {
	name: broker
	host: localhost
	port: 5671
	sasl-mechanisms: PLAIN
	sasl-username: katello_agent
	sasl-password: katello_agent
	role: route-container
	ssl-profile: client
	idle-timeout-seconds: 0
}


* As root, execute the command:
# systemctl restart qdrouterd


These ACLs will prevent clients to redirect or move messages to various queues which is the nature of the CVE.
All other behavior will be unchanged (acl allow all all) which is the current baseline.

Comment 10 errata-xmlrpc 2019-04-09 17:23:03 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.3 for RHEL 7

Via RHSA-2019:0733 https://access.redhat.com/errata/RHSA-2019:0733

Comment 11 errata-xmlrpc 2019-04-09 17:23:20 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2019:0735 https://access.redhat.com/errata/RHSA-2019:0735

Comment 12 errata-xmlrpc 2019-04-09 17:26:34 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.2 for RHEL 6
  Red Hat Satellite 6.2 for RHEL 7

Via RHSA-2019:0734 https://access.redhat.com/errata/RHSA-2019:0734

Comment 15 errata-xmlrpc 2019-05-14 13:03:06 UTC
This issue has been addressed in the following products:

  Satellite Tools 6.5 for RHEL 7
  Satellite Tools 6.5 for RHEL 7.4.EUS
  Satellite Tools 6.5 for RHEL 7.5.EUS
  Satellite Tools 6.5 for RHEL 7.6.EUS
  Satellite Tools 6.5 for RHEL 7.3.AUS
  Satellite Tools 6.5 for RHEL 7.4.AUS
  Satellite Tools 6.5 for RHEL 7.2.E4S
  Satellite Tools 6.5 for RHEL 7.3.E4S
  Satellite Tools 6.5 for RHEL 7.4.E4S
  Satellite Tools 6.5 for RHEL 7.2.TUS
  Satellite Tools 6.5 for RHEL 7.3.TUS
  Satellite Tools 6.5 for RHEL 7.4.TUS
  Satellite Tools 6.5 for RHEL 7.6.E4S
  Satellite Tools 6.5 for RHEL 7.6.AUS
  Satellite Tools 6.5 for RHEL 7.6.TUS
  Satellite Tools 6.5 for RHEL 5.9.AUS
  Satellite Tools 6.5 for RHEL 5.ELS
  Satellite Tools 6.5 for RHEL 6.4.AUS
  Satellite Tools 6.5 for RHEL 6.5.AUS
  Satellite Tools 6.5 for RHEL 6.6.AUS
  Satellite Tools 6.5 for RHEL 7.2.AUS
  Satellite Tools 6.5 for RHEL 6
  Satellite Tools 6.5 for RHEL 8

Via RHSA-2019:1223 https://access.redhat.com/errata/RHSA-2019:1223

Comment 17 Cedric Buissart 2019-07-31 14:45:41 UTC
Statement:

On Red Hat Satellite 6.5, the Satellite 6.5 GA release includes a version of katello-installer-base that provides the fixes for this issue.

Comment 23 Yadnyawalk Tale 2022-02-22 15:01:40 UTC
It is super confusing looking at where issue was and where it got fixed. I see some indirect fixes are in puppet-foreman_proxy_content, puppet-katello and puppet-qpid too. However, from errata I can confirm issue got fixed in katello-installer-base-3.10.0.6-1 through RHSA-2019:0735.

To answer comment#18, whatever Cedric and Pavel said is correct, this vulnerability does not have to do anything with beautifulsoup4. I think container images were getting flagged because of incorrect CVE mapping with RPM. I've corrected this CVE mapping from advisory so it is now mapping to correct RPM (katello-installer-base). I expect once CVE page gets updated, container image should not flag it incorrectly.


Note You need to log in before you can comment on or make changes to this bug.