[Spacewalk-list] Critical security issue about your Spacewalk system
Cliff Perry
cperry at redhat.com
Tue Nov 12 16:29:40 UTC 2013
Hi Spacewalk community,
today, a Critical security issue was announced within the Spacewalk code
base.
This is covered by CVE:
https://access.redhat.com/security/cve/CVE-2013-4480
We have just committed into the Spacewalk git repo the fixes and
building packages for Spacewalk 2.0 and 1.9. These packages should be
available to download and install soon.
Commits are found here:
https://git.fedorahosted.org/cgit/spacewalk.git/log/?h=SPACEWALK-2.0
https://git.fedorahosted.org/cgit/spacewalk.git/log/?h=SPACEWALK-1.9
Signed packages will be available here within the hour:
http://yum.spacewalkproject.org/2.0/
http://yum.spacewalkproject.org/1.9/
If you are running older versions of Spacewalk, then you can manually
apply the fix (details below).
Once you have patched, I would additionally recommend to review:
- the users/login's on your Spacewalk and confirm no unknown
Administrative accounts have been created on the Satellite.
Please let us know if you have questions.
Regards,
Clifford
Link to Satellite Errata:
https://rhn.redhat.com/errata/RHSA-2013-1513.html
https://rhn.redhat.com/errata/RHSA-2013-1514.html
Text modified from Satellite Knowledgebase article:
Does CVE-2013-4480 affect Spacewalk 1.x & 2.x?
Issue
-----
The flaw identified by CVE-2013-4480 (Red Hat Bugzilla 1024614)
describes an issue where a user-supplied web query can result in an
administrative user being added to the Satellite console. A remote,
unprivileged user could use this flaw to gain administrative privileges
to the Satellite console.
No public exploit is available, however exploitation does not require
specialized knowledge or tools.
Environment
* Spacewalk 2.0, 1.x, 0.x - all previously released versions
Resolution
----------
Updates to correct this issue are available within the Spacewalk yum repos.
http://spacewalk.redhat.com/yum/
If updating is not possible, or you have an older version than 2.0 or
1.9, the /var/lib/tomcat[56]/webapps/rhn/WEB-INF/struts-config.xml file
can be modified manually to include the two necessary checks.
Spacewalk 1.x and 2.0
=====================
1) In the struts-config.xml file, locate the "CreateFirstUserSubmit"
section and add the following line after the <set-property
property="postRequired" value="true" /> line:
<set-property property="acls" value="need_first_user()"/>
The modified section should look as follows:
<action path="/newlogin/CreateFirstUserSubmit"
name="createSatelliteForm"
scope="request"
validate="false"
input="/WEB-INF/pages/user/create/usercreate.jsp"
type="com.redhat.rhn.frontend.action.user.CreateUserAction"
className="com.redhat.rhn.frontend.struts.RhnActionMapping">
<set-property property="postRequired" value="true" />
<set-property property="acls" value="need_first_user()"/>
<forward name="success_sat" path="/YourRhn.do"
redirect="true"/>
<forward name="fail-sat" path="/newlogin/CreateFirstUser.do"/>
</action>
2) In the struts-config.xml file, locate the "CreateSatelliteSubmit"
section and add the following line after the <set-property
property="postRequired" value="true" /> line:
<set-property property="acls" value="user_role(org_admin)"/>
The modified section should look as follows:
<action path="/newlogin/CreateSatelliteSubmit"
name="createSatelliteForm"
scope="request"
validate="false"
input="/WEB-INF/pages/user/create/usercreate.jsp"
type="com.redhat.rhn.frontend.action.user.CreateUserAction"
className="com.redhat.rhn.frontend.struts.RhnActionMapping">
<set-property property="postRequired" value="true" />
<set-property property="acls" value="user_role(org_admin)"/>
<forward name="existorgsuccess" path="/users/ActiveList.do"
redirect="true"/>
<forward name="failure" path="/users/CreateUser.do"/>
</action>
3) The Spacewalk service must be restarted, or at least tomcat, for the
above changes to take effect.
More information about the Spacewalk-list
mailing list