Actions
Bug #36760
closedCVE-2023-4886: World readable tomcat server.xml contains passwords
Status:
Closed
Priority:
Normal
Assignee:
Category:
Foreman modules
Target version:
Difficulty:
Triaged:
No
Description
The file /etc/tomcat/server.xml contains passwords and is world readable. The actual keystore is limited by file permissions, but server.xml should also be limited.
Files
Updated by Ewoud Kohl van Wijngaarden 10 months ago
Updated by Ewoud Kohl van Wijngaarden 9 months ago
- File 0001-Refs-36760-Reset-candlepin-key-and-truststore.patch added
This is the installer patch that forces the credentials to also be reset. I started on a proper fix (https://github.com/theforeman/puppet-certs/pull/428), but in the interest of time I'm taking this approach now.
Updated by Eric Helms 9 months ago
And to be clear, you still need root access to do anythng with the password?
Updated by Ewoud Kohl van Wijngaarden 9 months ago
- File deleted (
0001-Refs-36760-Reset-candlepin-key-and-truststore.patch)
Updated by Ewoud Kohl van Wijngaarden 9 months ago
- File 0001-Refs-36760-Reset-candlepin-key-and-truststore.patch 0001-Refs-36760-Reset-candlepin-key-and-truststore.patch added
Yes. You can verify this:
# ls -l /etc/candlepin/certs/{key,trust}store -rw-r-----. 1 root tomcat 4687 Oct 3 15:34 /etc/candlepin/certs/keystore -rw-r-----. 1 root tomcat 4194 Oct 3 15:34 /etc/candlepin/certs/truststore
I also had a mistake in the previous patch. I've now verified it on a nightly box.
Updated by Ewoud Kohl van Wijngaarden 9 months ago
- Subject changed from World readable tomcat server.xml contains passwords to CVE-2023-4886: World readable tomcat server.xml contains passwords
- Private changed from Yes to No
Embargo has lifted, removing private.
Updated by The Foreman Bot 9 months ago
- Status changed from New to Ready For Testing
- Assignee set to Ewoud Kohl van Wijngaarden
- Pull request https://github.com/theforeman/puppet-candlepin/pull/242 added
Updated by The Foreman Bot 9 months ago
- Pull request https://github.com/theforeman/foreman-installer/pull/886 added
Updated by The Foreman Bot 9 months ago
- Pull request https://github.com/theforeman/foreman-installer/pull/887 added
Updated by Ewoud Kohl van Wijngaarden 9 months ago
- Status changed from Ready For Testing to Closed
Applied in changeset puppet-candlepin|0f0595d7cbcd1658c09aca173e291ad82217673c.
Updated by The Foreman Bot 9 months ago
- Pull request https://github.com/theforeman/foreman-installer/pull/890 added
Updated by Ewoud Kohl van Wijngaarden 9 months ago
- Fixed in Releases 3.8.0 added
- Fixed in Releases deleted (
3.9.0)
Actions