Bug #22546

CVE-2018-1097: curl api to change power state on ovirt compute_resource exposes credentials

Added by Steve D 4 months ago. Updated 2 months ago.

Status:Closed
Priority:Urgent
Assigned To:Ori Rabin
Category:Security
Target version:-
Difficulty: Bugzilla link:
Found in release:1.15.6 Pull request:https://github.com/theforeman/foreman/pull/5375, https://github.com/theforeman/foreman/pull/5374, https://github.com/theforeman/foreman/pull/5371, https://github.com/theforeman/foreman/pull/5369, https://github.com/theforeman/foreman/pull/5373, https://github.com/theforeman/foreman-packaging/pull/2331, https://github.com/theforeman/foreman/pull/5383
Story points-
Velocity based estimate-
Release1.16.1Release relationshipAuto

Description

Looks like the same issue as https://bugzilla.redhat.com/show_bug.cgi?id=1211613 so perhaps this is a regression.

curl -X PUT -H "Content-Type:application/json" -H "Accept:application/json" -k -u user:password -d '{"power_action": "on"}' https://foreman/api/v2/hosts/testhost.domain.name/power

{"power":{"raw":{"name":"testhost.domain.name","href":"/ovirt-engine/api/v3/vms/b67a994d-68f5-4cba-a515-c79536ce55fe","id":"b67a994d-68f5-4cba-a515-c79536ce55fe","client":{"api_entrypoint":"https://ovirt.domain.name/ovirt-engine/api/v3","credentials":{"username":"admin@internal","password":"unmaskedpassword"},
...


Related issues

Related to Foreman - Bug #23212: Changing power state gives: NameError: uninitialized cons... Closed 04/11/2018

Associated revisions

Revision 6fb097f9
Added by Ori Rabin 3 months ago

Fixes #22546 - CVE-2018-1097: Bump fog-ovirt for power action fix

Revision 957a3a3d
Added by Michael Moll 3 months ago

Refs #22546 - Reflect fog-ovirt requirements update

Revision 0143a963
Added by Michael Moll 3 months ago

Refs #22546 - ovirt-engine-sdk needs libcurl-dev

Revision a50d6604
Added by Michael Moll 3 months ago

Refs #22546 - ovirt-engine-sdk needs libxml2-dev

Revision 241c4e4e
Added by Michael Moll 3 months ago

Refs #22546 - fog requires fog-ovirt. add needed deps

History

#1 Updated by Michael Moll 4 months ago

  • Difficulty deleted (easy)
  • Category changed from API to Compute resources - oVirt

#2 Updated by Tomer Brisker 3 months ago

  • Category changed from Compute resources - oVirt to Security

#3 Updated by The Foreman Bot 3 months ago

  • Assigned To set to Ori Rabin
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/5369 added

#4 Updated by Tomer Brisker 3 months ago

  • Subject changed from curl api to change power state on ovirt compute_resource exposes credentials to CVE-2018-1097: curl api to change power state on ovirt compute_resource exposes credentials

#5 Updated by The Foreman Bot 3 months ago

  • Pull request https://github.com/theforeman/foreman/pull/5373 added

#6 Updated by The Foreman Bot 3 months ago

  • Pull request https://github.com/theforeman/foreman/pull/5374 added

#7 Updated by The Foreman Bot 3 months ago

  • Pull request https://github.com/theforeman/foreman/pull/5375 added

#8 Updated by The Foreman Bot 3 months ago

  • Pull request https://github.com/theforeman/foreman/pull/5383 added

#9 Updated by Tomer Brisker 3 months ago

  • Release set to 1.16.1

#10 Updated by Ori Rabin 3 months ago

  • % Done changed from 0 to 100
  • Status changed from Ready For Testing to Closed

#11 Updated by The Foreman Bot 3 months ago

  • Pull request https://github.com/theforeman/foreman-packaging/pull/2331 added

#12 Updated by Michael Moll 2 months ago

  • Related to Bug #23212: Changing power state gives: NameError: uninitialized constant Fog::Compute::Ovirt added

#13 Updated by The Foreman Bot 2 months ago

  • Pull request https://github.com/theforeman/foreman/pull/5371 added

Also available in: Atom PDF