Bug 1417702 (CVE-2017-2614) - CVE-2017-2614 rhev-m-4: Fails to validate existing expired passwords when changing a password
Summary: CVE-2017-2614 rhev-m-4: Fails to validate existing expired passwords when cha...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-2614
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1416935
Blocks: 1417706
TreeView+ depends on / blocked
 
Reported: 2017-01-30 17:15 UTC by Kurt Seifried
Modified: 2021-02-17 02:41 UTC (History)
11 users (show)

Fixed In Version: ovirt-engine-extension-aaa-jdbc 1.1.3
Doc Type: If docs needed, set a value
Doc Text:
When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools fail to correctly check for the current password if it is expired. This would allow access to an attacker with access to change the password on accounts with expired passwords, gaining access to those accounts.
Clone Of:
Environment:
Last Closed: 2017-02-06 23:45:39 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0257 0 normal SHIPPED_LIVE Important: ovirt-engine-extension-aaa-jdbc security update 2017-02-07 02:29:44 UTC

Description Kurt Seifried 2017-01-30 17:15:25 UTC 
Dominic Geevarghese of Red Hat reports:

RHV 4 Manager fails to validate expired passwords when prompted to change a password.
Comment 1 Kurt Seifried 2017-01-30 17:15:36 UTC 
Acknowledgments:

Name: Dominic Geevarghes (Red Hat)
Comment 4 errata-xmlrpc 2017-02-06 21:30:13 UTC 
This issue has been addressed in the following products:

  RHEV Engine version 4.0

Via RHSA-2017:0257 https://rhn.redhat.com/errata/RHSA-2017-0257.html
Note You need to log in before you can comment on or make changes to this bug.