Project

General

Profile

Actions

Bug #36760

closed

CVE-2023-4886: World readable tomcat server.xml contains passwords

Added by Ewoud Kohl van Wijngaarden over 1 year ago. Updated about 1 year ago.


Description

The file /etc/tomcat/server.xml contains passwords and is world readable. The actual keystore is limited by file permissions, but server.xml should also be limited.


Files

Actions #2

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

  • Target version set to 3.8.0
Actions #3

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

  • File 0001-Refs-36760-Reset-candlepin-key-and-truststore.patch added

This is the installer patch that forces the credentials to also be reset. I started on a proper fix (https://github.com/theforeman/puppet-certs/pull/428), but in the interest of time I'm taking this approach now.

Actions #4

Updated by Eric Helms about 1 year ago

And to be clear, you still need root access to do anythng with the password?

Actions #5

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

  • File deleted (0001-Refs-36760-Reset-candlepin-key-and-truststore.patch)
Actions #6

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

Yes. You can verify this:

# ls -l /etc/candlepin/certs/{key,trust}store
-rw-r-----. 1 root tomcat 4687 Oct  3 15:34 /etc/candlepin/certs/keystore
-rw-r-----. 1 root tomcat 4194 Oct  3 15:34 /etc/candlepin/certs/truststore

I also had a mistake in the previous patch. I've now verified it on a nightly box.

Actions #7

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

  • Subject changed from World readable tomcat server.xml contains passwords to CVE-2023-4886: World readable tomcat server.xml contains passwords
  • Private changed from Yes to No

Embargo has lifted, removing private.

Actions #8

Updated by The Foreman Bot about 1 year ago

  • Status changed from New to Ready For Testing
  • Assignee set to Ewoud Kohl van Wijngaarden
  • Pull request https://github.com/theforeman/puppet-candlepin/pull/242 added
Actions #9

Updated by The Foreman Bot about 1 year ago

  • Pull request https://github.com/theforeman/foreman-installer/pull/886 added
Actions #10

Updated by The Foreman Bot about 1 year ago

  • Pull request https://github.com/theforeman/foreman-installer/pull/887 added
Actions #11

Updated by The Foreman Bot about 1 year ago

  • Fixed in Releases 3.9.0 added
Actions #12

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

  • Status changed from Ready For Testing to Closed
Actions #13

Updated by The Foreman Bot about 1 year ago

  • Pull request https://github.com/theforeman/foreman-installer/pull/890 added
Actions #14

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

  • Fixed in Releases 3.8.0 added
  • Fixed in Releases deleted (3.9.0)
Actions

Also available in: Atom PDF