Bug 2065665 (CVE-2022-24302) - CVE-2022-24302 python-paramiko: Race condition in the write_private_key_file function
Summary: CVE-2022-24302 python-paramiko: Race condition in the write_private_key_file ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-24302
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2068130 2122628 2065666 2065667 2066431 2067968 2067982 2068392 2075658 2075659 2075660
Blocks: 2065668
TreeView+ depends on / blocked
 
Reported: 2022-03-18 12:46 UTC by Pedro Sampaio
Modified: 2022-12-07 20:26 UTC (History)
49 users (show)

Fixed In Version: paramiko v 2.10.1
Doc Type: If docs needed, set a value
Doc Text:
A race condition was found in Paramiko. This flaw allows unauthorized information disclosure from an attacker with access to the write_private_key_file.
Clone Of:
Environment:
Last Closed: 2022-05-26 21:15:36 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:4712 0 None None None 2022-05-26 17:25:09 UTC
Red Hat Product Errata RHSA-2022:8845 0 None None None 2022-12-07 19:25:10 UTC
Red Hat Product Errata RHSA-2022:8863 0 None None None 2022-12-07 20:26:46 UTC

Description Pedro Sampaio 2022-03-18 12:46:19 UTC
In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

References:

https://www.paramiko.org/changelog.html
https://github.com/paramiko/paramiko/blob/363a28d94cada17f012c1604a3c99c71a2bda003/paramiko/pkey.py#L546

Comment 1 Pedro Sampaio 2022-03-18 12:46:46 UTC
Created python-paramiko tracking bugs for this issue:

Affects: epel-all [bug 2065667]
Affects: fedora-all [bug 2065666]

Comment 2 juneau 2022-03-21 18:21:18 UTC
services-assisted-installer affected/delegated:

services-assisted-installer/assisted-test-infra:7bf31f4/paramiko-2.9.2 https://github.com/openshift/assisted-test-infra/blob/master/requirements.txt

Comment 8 errata-xmlrpc 2022-05-26 17:25:06 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
  Red Hat Virtualization Engine 4.4
  Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8
  Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 9

Via RHSA-2022:4712 https://access.redhat.com/errata/RHSA-2022:4712

Comment 9 Product Security DevOps Team 2022-05-26 21:15:32 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24302

Comment 11 errata-xmlrpc 2022-12-07 19:25:08 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:8845 https://access.redhat.com/errata/RHSA-2022:8845

Comment 12 errata-xmlrpc 2022-12-07 20:26:43 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:8863 https://access.redhat.com/errata/RHSA-2022:8863


Note You need to log in before you can comment on or make changes to this bug.