A account takeover flaw was found in Red Hat Satellite 6.7.2 onward, a potential attacker with proper authentication to the relevant external authentication source (SSO or Open ID) can claim the privileges of already existing local users of Satellite.
Acknowledgments: Name: Stefan Meyer (Red Hat)
Mitigation: This issue can be mitigated by disabling the external login if a Satellite user has their authentication set to INTERNAL.
Hotfixes for this issue are available for Satellite 6.7.2 and Satellite 6.7.3 To obtain the Hotfix for your Satellite version, please open a support case with Red Hat Technical Support, as the Hotfix RPM is too large to be provided as a bugzilla attachment INSTALLATION INSTRUCTIONS: (Both versions) 1. Make a backup or snapshot or Satellite server (Both versions) 2. Obtain the Hotfix RPM from Red Hat Technical Support and copy it to Satellite server (Satellite 6.7.2) 3. # rpm -Uvh --nodeps foreman-1.24.1.24-3.HOTFIXRHBZ1798489RHBZ1792135RHBZ1873439.el7sat.noarch.rpm (Satellite 6.7.3) 3. # rpm -Uvh --nodeps foreman-1.24.1.25-2.HOTFIXRHBZ1798489RHBZ1792135RHBZ1873439.el7sat.noarch.rpm (Both versions) 4. # satellite-maintain service restart
This issue has been addressed in the following products: Red Hat Satellite 6.7 for RHEL 8 Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14380