<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Nov 12, 2013 at 11:29 AM, Cliff Perry <span dir="ltr"><<a href="mailto:cperry@redhat.com" target="_blank">cperry@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Spacewalk community,<br>
today, a Critical security issue was announced within the Spacewalk code base.<br>
<br>
This is covered by CVE:<br>
<br>
<a href="https://access.redhat.com/security/cve/CVE-2013-4480" target="_blank">https://access.redhat.com/<u></u>security/cve/CVE-2013-4480</a><br>
<br>
We have just committed into the Spacewalk git repo the fixes and building packages for Spacewalk 2.0 and 1.9. These packages should be available to download and install soon.<br>
<br>
Commits are found here:<br>
<a href="https://git.fedorahosted.org/cgit/spacewalk.git/log/?h=SPACEWALK-2.0" target="_blank">https://git.fedorahosted.org/<u></u>cgit/spacewalk.git/log/?h=<u></u>SPACEWALK-2.0</a><br>
<a href="https://git.fedorahosted.org/cgit/spacewalk.git/log/?h=SPACEWALK-1.9" target="_blank">https://git.fedorahosted.org/<u></u>cgit/spacewalk.git/log/?h=<u></u>SPACEWALK-1.9</a><br>
<br>
Signed packages will be available here within the hour:<br>
<a href="http://yum.spacewalkproject.org/2.0/" target="_blank">http://yum.spacewalkproject.<u></u>org/2.0/</a><br>
<a href="http://yum.spacewalkproject.org/1.9/" target="_blank">http://yum.spacewalkproject.<u></u>org/1.9/</a><br>
<br>
If you are running older versions of Spacewalk, then you can manually apply the fix (details below).<br>
<br>
Once you have patched, I would additionally recommend to review:<br>
 - the users/login's on your Spacewalk and confirm no unknown Administrative accounts have been created on the Satellite.<br>
<br>
Please let us know if you have questions.<br>
<br>
Regards,<br>
Clifford<br>
<br>
Link to Satellite Errata:<br>
<a href="https://rhn.redhat.com/errata/RHSA-2013-1513.html" target="_blank">https://rhn.redhat.com/errata/<u></u>RHSA-2013-1513.html</a><br>
<a href="https://rhn.redhat.com/errata/RHSA-2013-1514.html" target="_blank">https://rhn.redhat.com/errata/<u></u>RHSA-2013-1514.html</a><br>
<br>
Text modified from Satellite Knowledgebase article:<br>
<br>
Does CVE-2013-4480 affect Spacewalk 1.x & 2.x?<br>
<br>
Issue<br>
-----<br>
The flaw identified by CVE-2013-4480 (Red Hat Bugzilla 1024614) describes an issue where a user-supplied web query can result in an administrative user being added to the Satellite console. A remote, unprivileged user could use this flaw to gain administrative privileges to the Satellite console.<br>

<br>
No public exploit is available, however exploitation does not require specialized knowledge or tools.<br>
<br>
Environment<br>
* Spacewalk 2.0, 1.x, 0.x - all previously released versions<br>
<br>
Resolution<br>
----------<br>
Updates to correct this issue are available within the Spacewalk yum repos.<br>
<br>
<a href="http://spacewalk.redhat.com/yum/" target="_blank">http://spacewalk.redhat.com/<u></u>yum/</a><br>
<br>
If updating is not possible, or you have an older version than 2.0 or 1.9, the /var/lib/tomcat[56]/webapps/<u></u>rhn/WEB-INF/struts-config.xml file can be modified manually to include the two necessary checks.<br>
<br>
Spacewalk 1.x and 2.0<br>
=====================<br>
<br>
1) In the struts-config.xml file, locate the "CreateFirstUserSubmit" section and add the following line after the <set-property property="postRequired" value="true" /> line:<br>
<br>
<set-property property="acls" value="need_first_user()"/><br>
<br>
The modified section should look as follows:<br>
<br>
    <action path="/newlogin/<u></u>CreateFirstUserSubmit"<br>
        name="createSatelliteForm"<br>
        scope="request"<br>
        validate="false"<br>
        input="/WEB-INF/pages/user/<u></u>create/usercreate.jsp"<br>
        type="com.redhat.rhn.frontend.<u></u>action.user.CreateUserAction"<br>
        className="com.redhat.rhn.<u></u>frontend.struts.<u></u>RhnActionMapping"><br>
      <set-property property="postRequired" value="true" /><br>
      <set-property property="acls" value="need_first_user()"/><br>
      <forward name="success_sat" path="/YourRhn.do"<br>
               redirect="true"/><br>
      <forward name="fail-sat" path="/newlogin/<u></u>CreateFirstUser.do"/><br>
    </action><br>
<br>
2) In the struts-config.xml file, locate the "CreateSatelliteSubmit" section and add the following line after the <set-property property="postRequired" value="true" /> line:<br>
<br>
<set-property property="acls" value="user_role(org_admin)"/><br>
<br>
The modified section should look as follows:<br>
<br>
    <action path="/newlogin/<u></u>CreateSatelliteSubmit"<br>
        name="createSatelliteForm"<br>
        scope="request"<br>
        validate="false"<br>
        input="/WEB-INF/pages/user/<u></u>create/usercreate.jsp"<br>
        type="com.redhat.rhn.frontend.<u></u>action.user.CreateUserAction"<br>
        className="com.redhat.rhn.<u></u>frontend.struts.<u></u>RhnActionMapping"><br>
      <set-property property="postRequired" value="true" /><br>
      <set-property property="acls" value="user_role(org_admin)"/><br>
      <forward name="existorgsuccess" path="/users/ActiveList.do"<br>
               redirect="true"/><br>
      <forward name="failure" path="/users/CreateUser.do"/><br>
    </action><br>
<br>
3) The Spacewalk service must be restarted, or at least tomcat, for the above changes to take effect.<br>
<br>
______________________________<u></u>_________________<br>
Spacewalk-list mailing list<br>
<a href="mailto:Spacewalk-list@redhat.com" target="_blank">Spacewalk-list@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/spacewalk-list" target="_blank">https://www.redhat.com/<u></u>mailman/listinfo/spacewalk-<u></u>list</a><br>
</blockquote></div><br><br></div><div class="gmail_extra">I was about to take mine offline and update. The link no longer works. Is this not a CVE?<br></div></div>