[Spacewalk-list] Critical security issue about your Spacewalk system

Justin Edmands shockwavecs at gmail.com
Tue Nov 12 16:51:15 UTC 2013 

On Tue, Nov 12, 2013 at 11:29 AM, Cliff Perry <cperry at redhat.com> wrote:

> Hi Spacewalk community,
> today, a Critical security issue was announced within the Spacewalk code
> base.
>
> This is covered by CVE:
>
> https://access.redhat.com/security/cve/CVE-2013-4480
>
> We have just committed into the Spacewalk git repo the fixes and building
> packages for Spacewalk 2.0 and 1.9. These packages should be available to
> download and install soon.
>
> Commits are found here:
> https://git.fedorahosted.org/cgit/spacewalk.git/log/?h=SPACEWALK-2.0
> https://git.fedorahosted.org/cgit/spacewalk.git/log/?h=SPACEWALK-1.9
>
> Signed packages will be available here within the hour:
> http://yum.spacewalkproject.org/2.0/
> http://yum.spacewalkproject.org/1.9/
>
> If you are running older versions of Spacewalk, then you can manually
> apply the fix (details below).
>
> Once you have patched, I would additionally recommend to review:
>  - the users/login's on your Spacewalk and confirm no unknown
> Administrative accounts have been created on the Satellite.
>
> Please let us know if you have questions.
>
> Regards,
> Clifford
>
> Link to Satellite Errata:
> https://rhn.redhat.com/errata/RHSA-2013-1513.html
> https://rhn.redhat.com/errata/RHSA-2013-1514.html
>
> Text modified from Satellite Knowledgebase article:
>
> Does CVE-2013-4480 affect Spacewalk 1.x & 2.x?
>
> Issue
> -----
> The flaw identified by CVE-2013-4480 (Red Hat Bugzilla 1024614) describes
> an issue where a user-supplied web query can result in an administrative
> user being added to the Satellite console. A remote, unprivileged user
> could use this flaw to gain administrative privileges to the Satellite
> console.
>
> No public exploit is available, however exploitation does not require
> specialized knowledge or tools.
>
> Environment
> * Spacewalk 2.0, 1.x, 0.x - all previously released versions
>
> Resolution
> ----------
> Updates to correct this issue are available within the Spacewalk yum repos.
>
> http://spacewalk.redhat.com/yum/
>
> If updating is not possible, or you have an older version than 2.0 or 1.9,
> the /var/lib/tomcat[56]/webapps/rhn/WEB-INF/struts-config.xml file can be
> modified manually to include the two necessary checks.
>
> Spacewalk 1.x and 2.0
> =====================
>
> 1) In the struts-config.xml file, locate the "CreateFirstUserSubmit"
> section and add the following line after the <set-property
> property="postRequired" value="true" /> line:
>
> <set-property property="acls" value="need_first_user()"/>
>
> The modified section should look as follows:
>
>     <action path="/newlogin/CreateFirstUserSubmit"
>         name="createSatelliteForm"
>         scope="request"
>         validate="false"
>         input="/WEB-INF/pages/user/create/usercreate.jsp"
>         type="com.redhat.rhn.frontend.action.user.CreateUserAction"
>         className="com.redhat.rhn.frontend.struts.RhnActionMapping">
>       <set-property property="postRequired" value="true" />
>       <set-property property="acls" value="need_first_user()"/>
>       <forward name="success_sat" path="/YourRhn.do"
>                redirect="true"/>
>       <forward name="fail-sat" path="/newlogin/CreateFirstUser.do"/>
>     </action>
>
> 2) In the struts-config.xml file, locate the "CreateSatelliteSubmit"
> section and add the following line after the <set-property
> property="postRequired" value="true" /> line:
>
> <set-property property="acls" value="user_role(org_admin)"/>
>
> The modified section should look as follows:
>
>     <action path="/newlogin/CreateSatelliteSubmit"
>         name="createSatelliteForm"
>         scope="request"
>         validate="false"
>         input="/WEB-INF/pages/user/create/usercreate.jsp"
>         type="com.redhat.rhn.frontend.action.user.CreateUserAction"
>         className="com.redhat.rhn.frontend.struts.RhnActionMapping">
>       <set-property property="postRequired" value="true" />
>       <set-property property="acls" value="user_role(org_admin)"/>
>       <forward name="existorgsuccess" path="/users/ActiveList.do"
>                redirect="true"/>
>       <forward name="failure" path="/users/CreateUser.do"/>
>     </action>
>
> 3) The Spacewalk service must be restarted, or at least tomcat, for the
> above changes to take effect.
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>


I was about to take mine offline and update. The link no longer works. Is
this not a CVE?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20131112/8f481ff1/attachment.htm>

More information about the Spacewalk-list mailing list