Actions
Bug #36760
closedCVE-2023-4886: World readable tomcat server.xml contains passwords
Status:
Closed
Priority:
Normal
Assignee:
Category:
Foreman modules
Target version:
Difficulty:
Triaged:
No
Description
The file /etc/tomcat/server.xml contains passwords and is world readable. The actual keystore is limited by file permissions, but server.xml should also be limited.
Files
Updated by Ewoud Kohl van Wijngaarden over 1 year ago
Updated by Ewoud Kohl van Wijngaarden about 1 year ago
- Target version set to 3.8.0
Updated by Ewoud Kohl van Wijngaarden about 1 year ago
- File 0001-Refs-36760-Reset-candlepin-key-and-truststore.patch added
This is the installer patch that forces the credentials to also be reset. I started on a proper fix (https://github.com/theforeman/puppet-certs/pull/428), but in the interest of time I'm taking this approach now.
Updated by Eric Helms about 1 year ago
And to be clear, you still need root access to do anythng with the password?
Updated by Ewoud Kohl van Wijngaarden about 1 year ago
- File deleted (
0001-Refs-36760-Reset-candlepin-key-and-truststore.patch)
Updated by Ewoud Kohl van Wijngaarden about 1 year ago
- File 0001-Refs-36760-Reset-candlepin-key-and-truststore.patch 0001-Refs-36760-Reset-candlepin-key-and-truststore.patch added
Yes. You can verify this:
# ls -l /etc/candlepin/certs/{key,trust}store -rw-r-----. 1 root tomcat 4687 Oct 3 15:34 /etc/candlepin/certs/keystore -rw-r-----. 1 root tomcat 4194 Oct 3 15:34 /etc/candlepin/certs/truststore
I also had a mistake in the previous patch. I've now verified it on a nightly box.
Updated by Ewoud Kohl van Wijngaarden about 1 year ago
- Subject changed from World readable tomcat server.xml contains passwords to CVE-2023-4886: World readable tomcat server.xml contains passwords
- Private changed from Yes to No
Embargo has lifted, removing private.
Updated by The Foreman Bot about 1 year ago
- Status changed from New to Ready For Testing
- Assignee set to Ewoud Kohl van Wijngaarden
- Pull request https://github.com/theforeman/puppet-candlepin/pull/242 added
Updated by The Foreman Bot about 1 year ago
- Pull request https://github.com/theforeman/foreman-installer/pull/886 added
Updated by The Foreman Bot about 1 year ago
- Pull request https://github.com/theforeman/foreman-installer/pull/887 added
Updated by Ewoud Kohl van Wijngaarden about 1 year ago
- Status changed from Ready For Testing to Closed
Applied in changeset puppet-candlepin|0f0595d7cbcd1658c09aca173e291ad82217673c.
Updated by The Foreman Bot about 1 year ago
- Pull request https://github.com/theforeman/foreman-installer/pull/890 added
Updated by Ewoud Kohl van Wijngaarden about 1 year ago
- Fixed in Releases 3.8.0 added
- Fixed in Releases deleted (
3.9.0)
Actions