A vulnerability was found in qpid-dispatch-router. Any logged user can access QMF methods on Satellite's qpid broker which allows him to (un)install any available package on any system (managed by the Satellite) that runs katello agent / goferd.
Acknowledgments: Name: Pavel Moravec (Red Hat)
Mitigation: On Satellite Server follow the instructions below: * Modify /etc/qpid/qpidd.conf to add this line: acl-file=qpid_acls.acl * Create a new file: /var/lib/qpidd/.qpidd/qpid_acls.acl with content: acl allow katello_agent@QPID create queue acl allow katello_agent@QPID consume queue acl allow katello_agent@QPID access exchange acl allow katello_agent@QPID access queue acl allow katello_agent@QPID publish exchange routingkey=pulp.task acl allow katello_agent@QPID publish exchange name=qmf.default.direct acl allow katello_agent@QPID access method name=create acl deny-log katello_agent@QPID access method name=* acl deny-log katello_agent@QPID all all # allow anything else acl allow all all * As root, execute the command: # systemctl restart qpidd * In /etc/qpid-dispatch/qdrouterd.conf modify the connector: connector { name: broker host: localhost port: 5671 sasl-mechanisms: PLAIN sasl-username: katello_agent sasl-password: katello_agent role: route-container ssl-profile: client idle-timeout-seconds: 0 } * As root, execute the command: # systemctl restart qdrouterd These ACLs will prevent clients to redirect or move messages to various queues which is the nature of the CVE. All other behavior will be unchanged (acl allow all all) which is the current baseline.
This issue has been addressed in the following products: Red Hat Satellite 6.3 for RHEL 7 Via RHSA-2019:0733 https://access.redhat.com/errata/RHSA-2019:0733
This issue has been addressed in the following products: Red Hat Satellite 6.4 for RHEL 7 Via RHSA-2019:0735 https://access.redhat.com/errata/RHSA-2019:0735
This issue has been addressed in the following products: Red Hat Satellite 6.2 for RHEL 6 Red Hat Satellite 6.2 for RHEL 7 Via RHSA-2019:0734 https://access.redhat.com/errata/RHSA-2019:0734
This issue has been addressed in the following products: Satellite Tools 6.5 for RHEL 7 Satellite Tools 6.5 for RHEL 7.4.EUS Satellite Tools 6.5 for RHEL 7.5.EUS Satellite Tools 6.5 for RHEL 7.6.EUS Satellite Tools 6.5 for RHEL 7.3.AUS Satellite Tools 6.5 for RHEL 7.4.AUS Satellite Tools 6.5 for RHEL 7.2.E4S Satellite Tools 6.5 for RHEL 7.3.E4S Satellite Tools 6.5 for RHEL 7.4.E4S Satellite Tools 6.5 for RHEL 7.2.TUS Satellite Tools 6.5 for RHEL 7.3.TUS Satellite Tools 6.5 for RHEL 7.4.TUS Satellite Tools 6.5 for RHEL 7.6.E4S Satellite Tools 6.5 for RHEL 7.6.AUS Satellite Tools 6.5 for RHEL 7.6.TUS Satellite Tools 6.5 for RHEL 5.9.AUS Satellite Tools 6.5 for RHEL 5.ELS Satellite Tools 6.5 for RHEL 6.4.AUS Satellite Tools 6.5 for RHEL 6.5.AUS Satellite Tools 6.5 for RHEL 6.6.AUS Satellite Tools 6.5 for RHEL 7.2.AUS Satellite Tools 6.5 for RHEL 6 Satellite Tools 6.5 for RHEL 8 Via RHSA-2019:1223 https://access.redhat.com/errata/RHSA-2019:1223
Statement: On Red Hat Satellite 6.5, the Satellite 6.5 GA release includes a version of katello-installer-base that provides the fixes for this issue.
It is super confusing looking at where issue was and where it got fixed. I see some indirect fixes are in puppet-foreman_proxy_content, puppet-katello and puppet-qpid too. However, from errata I can confirm issue got fixed in katello-installer-base-3.10.0.6-1 through RHSA-2019:0735. To answer comment#18, whatever Cedric and Pavel said is correct, this vulnerability does not have to do anything with beautifulsoup4. I think container images were getting flagged because of incorrect CVE mapping with RPM. I've corrected this CVE mapping from advisory so it is now mapping to correct RPM (katello-installer-base). I expect once CVE page gets updated, container image should not flag it incorrectly.