On Tue, Nov 12, 2013 at 11:29 AM, Cliff Perry <[email protected]> wrote:
> Hi Spacewalk community, > today, a Critical security issue was announced within the Spacewalk code > base. > > This is covered by CVE: > > https://access.redhat.com/security/cve/CVE-2013-4480 > > We have just committed into the Spacewalk git repo the fixes and building > packages for Spacewalk 2.0 and 1.9. These packages should be available to > download and install soon. > > Commits are found here: > https://git.fedorahosted.org/cgit/spacewalk.git/log/?h=SPACEWALK-2.0 > https://git.fedorahosted.org/cgit/spacewalk.git/log/?h=SPACEWALK-1.9 > > Signed packages will be available here within the hour: > http://yum.spacewalkproject.org/2.0/ > http://yum.spacewalkproject.org/1.9/ > > If you are running older versions of Spacewalk, then you can manually > apply the fix (details below). > > Once you have patched, I would additionally recommend to review: > - the users/login's on your Spacewalk and confirm no unknown > Administrative accounts have been created on the Satellite. > > Please let us know if you have questions. > > Regards, > Clifford > > Link to Satellite Errata: > https://rhn.redhat.com/errata/RHSA-2013-1513.html > https://rhn.redhat.com/errata/RHSA-2013-1514.html > > Text modified from Satellite Knowledgebase article: > > Does CVE-2013-4480 affect Spacewalk 1.x & 2.x? > > Issue > ----- > The flaw identified by CVE-2013-4480 (Red Hat Bugzilla 1024614) describes > an issue where a user-supplied web query can result in an administrative > user being added to the Satellite console. A remote, unprivileged user > could use this flaw to gain administrative privileges to the Satellite > console. > > No public exploit is available, however exploitation does not require > specialized knowledge or tools. > > Environment > * Spacewalk 2.0, 1.x, 0.x - all previously released versions > > Resolution > ---------- > Updates to correct this issue are available within the Spacewalk yum repos. > > http://spacewalk.redhat.com/yum/ > > If updating is not possible, or you have an older version than 2.0 or 1.9, > the /var/lib/tomcat[56]/webapps/rhn/WEB-INF/struts-config.xml file can be > modified manually to include the two necessary checks. > > Spacewalk 1.x and 2.0 > ===================== > > 1) In the struts-config.xml file, locate the "CreateFirstUserSubmit" > section and add the following line after the <set-property > property="postRequired" value="true" /> line: > > <set-property property="acls" value="need_first_user()"/> > > The modified section should look as follows: > > <action path="/newlogin/CreateFirstUserSubmit" > name="createSatelliteForm" > scope="request" > validate="false" > input="/WEB-INF/pages/user/create/usercreate.jsp" > type="com.redhat.rhn.frontend.action.user.CreateUserAction" > className="com.redhat.rhn.frontend.struts.RhnActionMapping"> > <set-property property="postRequired" value="true" /> > <set-property property="acls" value="need_first_user()"/> > <forward name="success_sat" path="/YourRhn.do" > redirect="true"/> > <forward name="fail-sat" path="/newlogin/CreateFirstUser.do"/> > </action> > > 2) In the struts-config.xml file, locate the "CreateSatelliteSubmit" > section and add the following line after the <set-property > property="postRequired" value="true" /> line: > > <set-property property="acls" value="user_role(org_admin)"/> > > The modified section should look as follows: > > <action path="/newlogin/CreateSatelliteSubmit" > name="createSatelliteForm" > scope="request" > validate="false" > input="/WEB-INF/pages/user/create/usercreate.jsp" > type="com.redhat.rhn.frontend.action.user.CreateUserAction" > className="com.redhat.rhn.frontend.struts.RhnActionMapping"> > <set-property property="postRequired" value="true" /> > <set-property property="acls" value="user_role(org_admin)"/> > <forward name="existorgsuccess" path="/users/ActiveList.do" > redirect="true"/> > <forward name="failure" path="/users/CreateUser.do"/> > </action> > > 3) The Spacewalk service must be restarted, or at least tomcat, for the > above changes to take effect. > > _______________________________________________ > Spacewalk-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/spacewalk-list > I was about to take mine offline and update. The link no longer works. Is this not a CVE?
_______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
