On 12/11/13 11:51, Justin Edmands wrote:
On Tue, Nov 12, 2013 at 11:29 AM, Cliff Perry <[email protected] <mailto:[email protected]>> wrote:Hi Spacewalk community, today, a Critical security issue was announced within the Spacewalk code base. This is covered by CVE: https://access.redhat.com/__security/cve/CVE-2013-4480 <https://access.redhat.com/security/cve/CVE-2013-4480> We have just committed into the Spacewalk git repo the fixes and building packages for Spacewalk 2.0 and 1.9. These packages should be available to download and install soon. Commits are found here: https://git.fedorahosted.org/__cgit/spacewalk.git/log/?h=__SPACEWALK-2.0 <https://git.fedorahosted.org/cgit/spacewalk.git/log/?h=SPACEWALK-2.0> https://git.fedorahosted.org/__cgit/spacewalk.git/log/?h=__SPACEWALK-1.9 <https://git.fedorahosted.org/cgit/spacewalk.git/log/?h=SPACEWALK-1.9> Signed packages will be available here within the hour: http://yum.spacewalkproject.__org/2.0/ <http://yum.spacewalkproject.org/2.0/> http://yum.spacewalkproject.__org/1.9/ <http://yum.spacewalkproject.org/1.9/> If you are running older versions of Spacewalk, then you can manually apply the fix (details below). Once you have patched, I would additionally recommend to review: - the users/login's on your Spacewalk and confirm no unknown Administrative accounts have been created on the Satellite. Please let us know if you have questions. Regards, Clifford Link to Satellite Errata: https://rhn.redhat.com/errata/__RHSA-2013-1513.html <https://rhn.redhat.com/errata/RHSA-2013-1513.html> https://rhn.redhat.com/errata/__RHSA-2013-1514.html <https://rhn.redhat.com/errata/RHSA-2013-1514.html> Text modified from Satellite Knowledgebase article: Does CVE-2013-4480 affect Spacewalk 1.x & 2.x? Issue ----- The flaw identified by CVE-2013-4480 (Red Hat Bugzilla 1024614) describes an issue where a user-supplied web query can result in an administrative user being added to the Satellite console. A remote, unprivileged user could use this flaw to gain administrative privileges to the Satellite console. No public exploit is available, however exploitation does not require specialized knowledge or tools. Environment * Spacewalk 2.0, 1.x, 0.x - all previously released versions Resolution ---------- Updates to correct this issue are available within the Spacewalk yum repos. http://spacewalk.redhat.com/__yum/ <http://spacewalk.redhat.com/yum/> If updating is not possible, or you have an older version than 2.0 or 1.9, the /var/lib/tomcat[56]/webapps/__rhn/WEB-INF/struts-config.xml file can be modified manually to include the two necessary checks. Spacewalk 1.x and 2.0 ===================== 1) In the struts-config.xml file, locate the "CreateFirstUserSubmit" section and add the following line after the <set-property property="postRequired" value="true" /> line: <set-property property="acls" value="need_first_user()"/> The modified section should look as follows: <action path="/newlogin/__CreateFirstUserSubmit" name="createSatelliteForm" scope="request" validate="false" input="/WEB-INF/pages/user/__create/usercreate.jsp" type="com.redhat.rhn.frontend.__action.user.CreateUserAction" className="com.redhat.rhn.__frontend.struts.__RhnActionMapping"> <set-property property="postRequired" value="true" /> <set-property property="acls" value="need_first_user()"/> <forward name="success_sat" path="/YourRhn.do" redirect="true"/> <forward name="fail-sat" path="/newlogin/__CreateFirstUser.do"/> </action> 2) In the struts-config.xml file, locate the "CreateSatelliteSubmit" section and add the following line after the <set-property property="postRequired" value="true" /> line: <set-property property="acls" value="user_role(org_admin)"/> The modified section should look as follows: <action path="/newlogin/__CreateSatelliteSubmit" name="createSatelliteForm" scope="request" validate="false" input="/WEB-INF/pages/user/__create/usercreate.jsp" type="com.redhat.rhn.frontend.__action.user.CreateUserAction" className="com.redhat.rhn.__frontend.struts.__RhnActionMapping"> <set-property property="postRequired" value="true" /> <set-property property="acls" value="user_role(org_admin)"/> <forward name="existorgsuccess" path="/users/ActiveList.do" redirect="true"/> <forward name="failure" path="/users/CreateUser.do"/> </action> 3) The Spacewalk service must be restarted, or at least tomcat, for the above changes to take effect. _________________________________________________ Spacewalk-list mailing list [email protected] <mailto:[email protected]> https://www.redhat.com/__mailman/listinfo/spacewalk-__list <https://www.redhat.com/mailman/listinfo/spacewalk-list> I was about to take mine offline and update. The link no longer works. Is this not a CVE?
The CVE link was not working earlier, but it is now resolved and functional.
https://access.redhat.com/security/cve/CVE-2013-4480 Updated Spacewalk 2.0 and 1.9 packages are available (*). The Spacewalk 1.9 build is not working for Fedora based Spacewalk 1.9. Regards, Clifford
_______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
_______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
