Bug 997639 - (CVE-2013-4225) CVE-2013-4225 Katello: proxied Candlepin calls authorization bypass
CVE-2013-4225 Katello: proxied Candlepin calls authorization bypass
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20140711,repo...
: Security
Depends On: 986185 997691 997693 997694 1159434
Blocks: 997692 1000138
  Show dependency treegraph
 
Reported: 2013-08-15 16:50 EDT by Kurt Seifried
Modified: 2015-07-29 09:38 EDT (History)
16 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-17 00:34:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-08-15 16:50:34 EDT
Ivan Necas (inecas@redhat.com) reports:

Description of problem:
Since this patch in upstream

https://github.com/Katello/katello/commit/a8c987213a3fa15bda493802a21594e2c53ad346#L2R21

the calls to katello that are directly proxied to candlepin were
skipped for proper authorization.

This are mostly the calls that are perforemed by subscription-manager from
registered systems (listing available subscriptions, subscribing, unsubscribing etc.


Version-Release number of selected component (if applicable):
All the versions containing the patch above. Should be only Sat6 MDP1 and SAM 1.3 beta

How reproducible:
Always

Steps to Reproduce:
1. subscription-manager register # against a katello instance
2. subscription-manager identity # note the uuid
3. curl -k -u admin:admin https://localhost/katello/api/consumers/{uuid}/owner

Actual results:

The user is allowed to access this url with user credentials

Expected results:

The call should be allowed only for the subscribed system with proper consumer certificate.
Comment 3 Bryan Kearney 2014-06-25 16:55:31 EDT
This is not a bug on SAM 1.4

[root@bkearney ~]# subscription-manager register
Username: admin
Password: 
Organization: ACME_Corporation
The system has been registered with ID: e333a1fa-5b00-4682-89c7-0ff8a8ee1c91 
[root@bkearney ~]# curl -k -u admin:admin https://ibm-x3250m4-07.lab.eng.rdu2.redhat.com/sam/api/consumers/e333a1fa-5b00-4682-89c7-0ff8a8ee1c91/owner
{"displayMessage":"User admin is not allowed to access api/v1/candlepin_proxies/get","errors":["User admin is not allowed to access api/v1/candlepin_proxies/get"]}[ro

Note You need to log in before you can comment on or make changes to this bug.