A flaw was found in the implementation of transport.py in Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step. Upstream Issue: https://github.com/paramiko/paramiko/issues/1175 Upstream Patch: https://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b4610516
Created python-paramiko tracking bugs for this issue: Affects: fedora-all [bug 1557131] Affects: epel-all [bug 1557132]
Created python-paramiko tracking bugs for this issue: Affects: openstack-rdo [bug 1557134]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2018:0591 https://access.redhat.com/errata/RHSA-2018:0591
This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Via RHSA-2018:0646 https://access.redhat.com/errata/RHSA-2018:0646
With regards to openstack-rdo [bug 1557134], RDO uses packages in CentOS extras repo so we will get the fix for this CVE via extras repo update in CentOS. I'll keep updated bug 1557134.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.4 Advanced Update Support Red Hat Enterprise Linux 6.5 Advanced Update Support Red Hat Enterprise Linux 6.6 Advanced Update Support Red Hat Enterprise Linux 6.6 Telco Extended Update Support Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2018:1125 https://access.redhat.com/errata/RHSA-2018:1125
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:1124 https://access.redhat.com/errata/RHSA-2018:1124
This issue has been addressed in the following products: Red Hat Ansible Engine 2.4 for RHEL 7 Via RHSA-2018:1213 https://access.redhat.com/errata/RHSA-2018:1213
This issue has been addressed in the following products: Red Hat Virtualization 4 for RHEL-7 Red Hat Virtualization Engine 4.1 Via RHSA-2018:1274 https://access.redhat.com/errata/RHSA-2018:1274
This issue has been addressed in the following products: CloudForms Management Engine 5.9 Via RHSA-2018:1328 https://access.redhat.com/errata/RHSA-2018:1328
This issue has been addressed in the following products: Red Hat Virtualization 4 for RHEL-7 Via RHSA-2018:1525 https://access.redhat.com/errata/RHSA-2018:1525
This issue has been addressed in the following products: CloudForms Management Engine 5.8 Via RHSA-2018:1972 https://access.redhat.com/errata/RHSA-2018:1972
Statement: This flaw is a user authentication bypass in the SSH Server functionality of paramiko (normally used by subclassing `paramiko.ServerInterface`). Where paramiko is used only for its client-side functionality (e.g. `paramiko.SSHClient`), the vulnerability is not exposed and thus cannot be exploited. The following Red Hat products use paramiko only in client-side mode. Server side functionality is not used. * Red Hat Ceph Storage 2 * Red Hat CloudForms 4 * Red Hat Enterprise Linux 7 * Red Hat Enterprise Virtualization * Red Hat Gluster Storage 3 * Red Hat Openshift Container Platform * Red Hat Quick Cloud Installer * Red Hat Satellite 6 * Red Hat Storage Console 2 * Red Hat OpenStack Platform * Red Hat Update Infrastructure
Satellite 6 before 6.3 was shipping paramiko for ansible and openshift-ansible. Right now paramiko get pulled as a ansible dependency thus satellite does not need separate erratum. * Earlier Satellite 6.3 paramiko dep -- ~~~ [ytale@cordelia manifests]$ grep -inr paramiko | grep sat manifest-eol.txt:8826:rhn_satellite:6.3/python-paramiko-2.1.1-2.el7ae.noarch.rpm ~~~ * Satellite 6.6 paramiko dep -- ~~~ [root@smqa-x3650-01-vm01 ~]# rpm -qi --whatrequires python-paramiko Name : ansible Version : 2.8.10 ~~~