1684978 – (CVE-2019-3879) CVE-2019-3879 ovirt-engine: Missing permissions check in web ui allows a user with basic privileges to delete disks

Bug 1684978 (CVE-2019-3879) - CVE-2019-3879 ovirt-engine: Missing permissions check in web ui allows a user with basic privileges to delete disks

Summary: CVE-2019-3879 ovirt-engine: Missing permissions check in web ui allows a user...

Keywords:
Status:	ON_QA
Alias:	CVE-2019-3879
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1642872 1692380
Blocks:	1679052
TreeView+	depends on / blocked

Reported:	2019-03-04 04:09 UTC by Doran Moppert
Modified:	2023-07-07 08:31 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ovirt-engine 4.3.2.1
Doc Type:	If docs needed, set a value
Doc Text:	It was discovered that in the ovirt REST API, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (e.g. Basic Operations) could exploit this flaw to delete disks attached to guests.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Doran Moppert 2019-03-04 04:09:00 UTC

It was discovered that in the ovirt REST API, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped.  A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.

Comment 2 Doran Moppert 2019-04-03 06:36:56 UTC

Upstream fix:

https://gerrit.ovirt.org/#/c/98153/

Comment 4 Sandro Bonazzola 2019-04-29 07:30:04 UTC

(In reply to Doran Moppert from comment #2)
> Upstream fix:
> 
> https://gerrit.ovirt.org/#/c/98153/

$ git tag --contains b6840a6c6221470c31e5f4d9f718239a9d44149d
ovirt-engine-4.3.2.1
ovirt-engine-4.3.3
ovirt-engine-4.3.3.1
ovirt-engine-4.3.3.2
ovirt-engine-4.3.3.3
ovirt-engine-4.3.3.4
ovirt-engine-4.3.3.5
ovirt-engine-4.3.3.6

Comment 6 Doran Moppert 2019-04-29 08:19:13 UTC

This issue was addressed in the following erratum for Red Hat Virtualization 4.2:

https://access.redhat.com/errata/RHBA-2019:0802

Note You need to log in before you can comment on or make changes to this bug.