[Spacewalk-list] Critical security issue about your Spacewalk system
Cliff Perry
cperry at redhat.com
Tue Nov 12 19:11:30 UTC 2013
On 12/11/13 11:51, Justin Edmands wrote:
> On Tue, Nov 12, 2013 at 11:29 AM, Cliff Perry <cperry at redhat.com
> <mailto:cperry at redhat.com>> wrote:
>
> Hi Spacewalk community,
> today, a Critical security issue was announced within the Spacewalk
> code base.
>
> This is covered by CVE:
>
> https://access.redhat.com/__security/cve/CVE-2013-4480
> <https://access.redhat.com/security/cve/CVE-2013-4480>
>
> We have just committed into the Spacewalk git repo the fixes and
> building packages for Spacewalk 2.0 and 1.9. These packages should
> be available to download and install soon.
>
> Commits are found here:
> https://git.fedorahosted.org/__cgit/spacewalk.git/log/?h=__SPACEWALK-2.0
> <https://git.fedorahosted.org/cgit/spacewalk.git/log/?h=SPACEWALK-2.0>
> https://git.fedorahosted.org/__cgit/spacewalk.git/log/?h=__SPACEWALK-1.9
> <https://git.fedorahosted.org/cgit/spacewalk.git/log/?h=SPACEWALK-1.9>
>
> Signed packages will be available here within the hour:
> http://yum.spacewalkproject.__org/2.0/
> <http://yum.spacewalkproject.org/2.0/>
> http://yum.spacewalkproject.__org/1.9/
> <http://yum.spacewalkproject.org/1.9/>
>
> If you are running older versions of Spacewalk, then you can
> manually apply the fix (details below).
>
> Once you have patched, I would additionally recommend to review:
> - the users/login's on your Spacewalk and confirm no unknown
> Administrative accounts have been created on the Satellite.
>
> Please let us know if you have questions.
>
> Regards,
> Clifford
>
> Link to Satellite Errata:
> https://rhn.redhat.com/errata/__RHSA-2013-1513.html
> <https://rhn.redhat.com/errata/RHSA-2013-1513.html>
> https://rhn.redhat.com/errata/__RHSA-2013-1514.html
> <https://rhn.redhat.com/errata/RHSA-2013-1514.html>
>
> Text modified from Satellite Knowledgebase article:
>
> Does CVE-2013-4480 affect Spacewalk 1.x & 2.x?
>
> Issue
> -----
> The flaw identified by CVE-2013-4480 (Red Hat Bugzilla 1024614)
> describes an issue where a user-supplied web query can result in an
> administrative user being added to the Satellite console. A remote,
> unprivileged user could use this flaw to gain administrative
> privileges to the Satellite console.
>
> No public exploit is available, however exploitation does not
> require specialized knowledge or tools.
>
> Environment
> * Spacewalk 2.0, 1.x, 0.x - all previously released versions
>
> Resolution
> ----------
> Updates to correct this issue are available within the Spacewalk yum
> repos.
>
> http://spacewalk.redhat.com/__yum/ <http://spacewalk.redhat.com/yum/>
>
> If updating is not possible, or you have an older version than 2.0
> or 1.9, the
> /var/lib/tomcat[56]/webapps/__rhn/WEB-INF/struts-config.xml file can
> be modified manually to include the two necessary checks.
>
> Spacewalk 1.x and 2.0
> =====================
>
> 1) In the struts-config.xml file, locate the "CreateFirstUserSubmit"
> section and add the following line after the <set-property
> property="postRequired" value="true" /> line:
>
> <set-property property="acls" value="need_first_user()"/>
>
> The modified section should look as follows:
>
> <action path="/newlogin/__CreateFirstUserSubmit"
> name="createSatelliteForm"
> scope="request"
> validate="false"
> input="/WEB-INF/pages/user/__create/usercreate.jsp"
> type="com.redhat.rhn.frontend.__action.user.CreateUserAction"
>
> className="com.redhat.rhn.__frontend.struts.__RhnActionMapping">
> <set-property property="postRequired" value="true" />
> <set-property property="acls" value="need_first_user()"/>
> <forward name="success_sat" path="/YourRhn.do"
> redirect="true"/>
> <forward name="fail-sat" path="/newlogin/__CreateFirstUser.do"/>
> </action>
>
> 2) In the struts-config.xml file, locate the "CreateSatelliteSubmit"
> section and add the following line after the <set-property
> property="postRequired" value="true" /> line:
>
> <set-property property="acls" value="user_role(org_admin)"/>
>
> The modified section should look as follows:
>
> <action path="/newlogin/__CreateSatelliteSubmit"
> name="createSatelliteForm"
> scope="request"
> validate="false"
> input="/WEB-INF/pages/user/__create/usercreate.jsp"
> type="com.redhat.rhn.frontend.__action.user.CreateUserAction"
>
> className="com.redhat.rhn.__frontend.struts.__RhnActionMapping">
> <set-property property="postRequired" value="true" />
> <set-property property="acls" value="user_role(org_admin)"/>
> <forward name="existorgsuccess" path="/users/ActiveList.do"
> redirect="true"/>
> <forward name="failure" path="/users/CreateUser.do"/>
> </action>
>
> 3) The Spacewalk service must be restarted, or at least tomcat, for
> the above changes to take effect.
>
> _________________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com <mailto:Spacewalk-list at redhat.com>
> https://www.redhat.com/__mailman/listinfo/spacewalk-__list
> <https://www.redhat.com/mailman/listinfo/spacewalk-list>
>
>
>
> I was about to take mine offline and update. The link no longer works.
> Is this not a CVE?
>
The CVE link was not working earlier, but it is now resolved and
functional.
https://access.redhat.com/security/cve/CVE-2013-4480
Updated Spacewalk 2.0 and 1.9 packages are available (*).
The Spacewalk 1.9 build is not working for Fedora based Spacewalk 1.9.
Regards,
Clifford
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
More information about the Spacewalk-list
mailing list