1858302 – (CVE-2020-14335) CVE-2020-14335 foreman: world-readable OMAPI secret through the ISC DHCP server

Bug 1858302 (CVE-2020-14335) - CVE-2020-14335 foreman: world-readable OMAPI secret through the ISC DHCP server

Summary: CVE-2020-14335 foreman: world-readable OMAPI secret through the ISC DHCP server

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-14335
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1858311
Blocks:	1858290
TreeView+	depends on / blocked

Reported:	2020-07-17 13:43 UTC by Yadnyawalk Tale
Modified:	2021-12-14 18:47 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Red Hat Satellite, which allows a privileged attacker to read OMAPI secrets through the ISC DHCP of Smart-Proxy. This flaw allows an attacker to gain control of DHCP records from the network. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2021-04-21 16:46:41 UTC
Embargoed:

Attachments	(Terms of Use)

Description Yadnyawalk Tale 2020-07-17 13:43:58 UTC

Red Hat Satellite 6 allows local user of Smart-Proxy system to read OMAPI interface secret. Local user using the ISC DHCP server can read object mapping API (OMAPI) secret, as by default it listens on all interfaces for OMAPI interfaction.

Comment 2 Yadnyawalk Tale 2020-07-17 13:59:25 UTC

Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 4 Yadnyawalk Tale 2020-07-20 05:40:15 UTC

Acknowledgments:

Name: Foreman
Upstream: Peter Bray (illumino Pty Ltd, Australia)

Comment 6 errata-xmlrpc 2021-04-21 13:10:23 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.8 for RHEL 7

Via RHSA-2021:1313 https://access.redhat.com/errata/RHSA-2021:1313

Comment 7 Product Security DevOps Team 2021-04-21 16:46:41 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14335

Note You need to log in before you can comment on or make changes to this bug.