Bug 718824 (CVE-2011-2528) - CVE-2011-2528 plone: privilege escalation vulnerability
Summary: CVE-2011-2528 plone: privilege escalation vulnerability
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2011-2528
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 711497 718829
Blocks: 718827
TreeView+ depends on / blocked
 
Reported: 2011-07-04 21:42 UTC by Vincent Danen
Modified: 2019-09-29 12:45 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-24 16:01:57 UTC


Attachments (Terms of Use)

Description Vincent Danen 2011-07-04 21:42:27 UTC
It was reported [1] that Plone suffers from a vulnerability that can be exploited to bypass certain security restrictions.  This is due to a vulnerable bundled version of Zope.

Plone 3.x users that backported the fix for CVE-2011-0720 (PloneHotfix20110720) are affected due to the vulnerability being inadvertently backported via the hotfix.

A new hotfix (20110622) is available [2] to correct the flaw.

[1] http://plone.org/products/plone/security/advisories/20110622
[2] http://plone.org/products/plone-hotfix/releases/20110622

Comment 2 Vincent Danen 2011-07-04 21:52:41 UTC
Created luci tracking bugs for this issue

Affects: fedora-all [bug 718829]

Comment 3 Vincent Danen 2011-07-04 21:52:43 UTC
Created plone tracking bugs for this issue

Affects: epel-5 [bug 711497]

Comment 4 Vincent Danen 2011-07-04 22:05:42 UTC
Also note the affects on Zope 2.12/2.13 (fixed upstream in 2.12.19 and 2.13.8):

https://mail.zope.org/pipermail/zope-announce/2011-June/002260.html

I do not believe we ship Zope at all in any products, other than some python-zope-* modules.

Comment 5 Fabio Massimo Di Nitto 2011-07-05 05:03:25 UTC
(In reply to comment #2)
> Created luci tracking bugs for this issue
> 
> Affects: fedora-all [bug 718829]

luci does not use plone anylonger (or zope).

Comment 6 Ryan McCabe 2011-07-05 15:05:32 UTC
Per the plone site:

"Other versions are not affected. Plone 2.5 and Zope 2.8/2.9 are unaffected; you should not install this hotifx on those sites."

So we are unaffected because we're using Plone-2.5.5 and Zope-2.9.8

Comment 7 Vincent Danen 2011-07-05 23:25:16 UTC
(In reply to comment #6)
> Per the plone site:
> 
> "Other versions are not affected. Plone 2.5 and Zope 2.8/2.9 are unaffected;
> you should not install this hotifx on those sites."
> 
> So we are unaffected because we're using Plone-2.5.5 and Zope-2.9.8

For which packages/platforms is the above referring to?

Comment 8 Ryan McCabe 2011-07-06 15:48:51 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > Per the plone site:
> > 
> > "Other versions are not affected. Plone 2.5 and Zope 2.8/2.9 are unaffected;
> > you should not install this hotifx on those sites."
> > 
> > So we are unaffected because we're using Plone-2.5.5 and Zope-2.9.8
> 
> For which packages/platforms is the above referring to?
Sorry -- this pertains to conga on RHEL4 and RHEL5.

Comment 9 Vincent Danen 2011-07-06 17:03:06 UTC
(In reply to comment #8) 
> > For which packages/platforms is the above referring to?
> Sorry -- this pertains to conga on RHEL4 and RHEL5.

Fantastic, thank you Ryan.  I'm assuming that when you refer to RHEL4 you're talking about the cluster product, correct?  (conga 0.11.2-4.el4).

If that is the case, then only Plone in EPEL5 is affected by this.

However, if that is indeed the case, then I'm wondering why we did an update for CVE-2011-0720 for RHEL4 and RHEL5, which seem to contain the patch that introduced this flaw.  That would imply to me that we are indeed affected:

https://www.redhat.com/security/data/cve/CVE-2011-0720.html

Judging by that alone, we should be affected, shouldn't we?

Comment 10 Ryan McCabe 2011-07-06 17:37:31 UTC
(In reply to comment #9)
> Fantastic, thank you Ryan.  I'm assuming that when you refer to RHEL4 you're
> talking about the cluster product, correct?  (conga 0.11.2-4.el4).
> 
> If that is the case, then only Plone in EPEL5 is affected by this.
> 
> However, if that is indeed the case, then I'm wondering why we did an update
> for CVE-2011-0720 for RHEL4 and RHEL5, which seem to contain the patch that
> introduced this flaw.  That would imply to me that we are indeed affected:
> 
> https://www.redhat.com/security/data/cve/CVE-2011-0720.html
> 
> Judging by that alone, we should be affected, shouldn't we?
CVE-2011-0720 specified that Plone 2.5 was affected, which is why we applied the patch there.

http://plone.org/products/plone/security/advisories/20110622 mentions that the vulnerability in Plone3 was introduced by the previous hotfix, but it doesn't say anything similar about any other versions of Plone. I guess the previous hotfix interacted with only Plone3 in a way so as to introduce the new problem.

At the bottom of the FAQ page, they write:

"Q: I see "ImportError: No module named traversing" on startup after installing the hotfix.

You have installed the hotfix onto a Plone 2.5 or Zope 2.8/2.9 site. The Hotfix is not required; you should remove it."

Comment 11 Vincent Danen 2011-07-06 17:59:41 UTC
Yes, the advisory indicates:

"Other versions are not affected. Plone 2.5 and Zope 2.8/2.9 are unaffected; you should not install this hotifx on those sites."

Great, thanks for the clarification Ryan.  I'll note that RHEL is unaffected by this.

Comment 12 Vincent Danen 2011-07-15 16:54:42 UTC
This has been assigned the name CVE-2011-2528:

http://seclists.org/oss-sec/2011/q3/75


Note You need to log in before you can comment on or make changes to this bug.