Red Hat Bugzilla – Bug 800688
CVE-2012-1145 satellite: remote package upload without authorization
Last modified: 2012-09-21 05:59:24 EDT
It was discovered that a remote attacker was able to upload a package to a Spacewalk/Satellite NULL organization without any authorization or authentication. A NULL organization is one to which packages synced from Red Hat Network Hosted land. Although an attacker is not able to put packages into an arbitrary channel, he could upload several packages and fill up the /var partition with such files. While these packages are not copied to legitimate channels and would not be downloaded by client systems, a full partition would prevent the downloading of new legitimate packages, which may include security fixes. These packages would then be unavailable to client systems.
This vulnerability only applies to RHN Satellite 5.4 when running on Red Hat Enterprise Linux 6 under mod_wsgi. As the code uses mod_python when performing these checks on Red Hat Enterprise Linux 5, that version is not vulnerable to this flaw.
This issue has been addressed in following products:
Red Hat Network Satellite Server v 5.4
Via RHSA-2012:0436 https://rhn.redhat.com/errata/RHSA-2012-0436.html
Created spacewalk-backend tracking bugs for this issue
Affects: fedora-all [bug 808187]
Fixed in Spacewalk master, bd7ad3667f2388ae9929d1dfc03c49545e17384c. Tagged as spacewalk-backend-1.8.9-1.