Bug 1684978 (CVE-2019-3879) - CVE-2019-3879 ovirt-engine: Missing permissions check in web ui allows a user with basic privileges to delete disks
Summary: CVE-2019-3879 ovirt-engine: Missing permissions check in web ui allows a user...
Status: ON_QA
Alias: CVE-2019-3879
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190325,repo...
Keywords: Security
Depends On: 1642872 1692380
Blocks: 1679052
TreeView+ depends on / blocked
 
Reported: 2019-03-04 04:09 UTC by Doran Moppert
Modified: 2019-06-08 23:53 UTC (History)
13 users (show)

(edit)
It was discovered that in the ovirt REST API, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped.  A user with low privileges (e.g. Basic Operations) could exploit this flaw to delete disks attached to guests.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Doran Moppert 2019-03-04 04:09:00 UTC
It was discovered that in the ovirt REST API, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped.  A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.

Comment 2 Doran Moppert 2019-04-03 06:36:56 UTC
Upstream fix:

https://gerrit.ovirt.org/#/c/98153/

Comment 4 Sandro Bonazzola 2019-04-29 07:30:04 UTC
(In reply to Doran Moppert from comment #2)
> Upstream fix:
> 
> https://gerrit.ovirt.org/#/c/98153/

$ git tag --contains b6840a6c6221470c31e5f4d9f718239a9d44149d
ovirt-engine-4.3.2.1
ovirt-engine-4.3.3
ovirt-engine-4.3.3.1
ovirt-engine-4.3.3.2
ovirt-engine-4.3.3.3
ovirt-engine-4.3.3.4
ovirt-engine-4.3.3.5
ovirt-engine-4.3.3.6

Comment 6 Doran Moppert 2019-04-29 08:19:13 UTC
This issue was addressed in the following erratum for Red Hat Virtualization 4.2:

https://access.redhat.com/errata/RHBA-2019:0802


Note You need to log in before you can comment on or make changes to this bug.