Bug 1684978 (CVE-2019-3879) - CVE-2019-3879 ovirt-engine: Missing permissions check in web ui allows a user with basic privileges to delete disks
Summary: CVE-2019-3879 ovirt-engine: Missing permissions check in web ui allows a user...
Keywords:
Status: ON_QA
Alias: CVE-2019-3879
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1642872 1692380
Blocks: 1679052
TreeView+ depends on / blocked
 
Reported: 2019-03-04 04:09 UTC by Doran Moppert
Modified: 2023-07-07 08:31 UTC (History)
6 users (show)

Fixed In Version: ovirt-engine 4.3.2.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Doran Moppert 2019-03-04 04:09:00 UTC 
It was discovered that in the ovirt REST API, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped.  A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.
Comment 2 Doran Moppert 2019-04-03 06:36:56 UTC 
Upstream fix:

https://gerrit.ovirt.org/#/c/98153/
Comment 4 Sandro Bonazzola 2019-04-29 07:30:04 UTC 
(In reply to Doran Moppert from comment #2)
> Upstream fix:
> 
> https://gerrit.ovirt.org/#/c/98153/

$ git tag --contains b6840a6c6221470c31e5f4d9f718239a9d44149d
ovirt-engine-4.3.2.1
ovirt-engine-4.3.3
ovirt-engine-4.3.3.1
ovirt-engine-4.3.3.2
ovirt-engine-4.3.3.3
ovirt-engine-4.3.3.4
ovirt-engine-4.3.3.5
ovirt-engine-4.3.3.6
Comment 6 Doran Moppert 2019-04-29 08:19:13 UTC 
This issue was addressed in the following erratum for Red Hat Virtualization 4.2:

https://access.redhat.com/errata/RHBA-2019:0802
Note You need to log in before you can comment on or make changes to this bug.