Project

General

Profile

Actions
Copy link

Bug #36760

closed

CVE-2023-4886: World readable tomcat server.xml contains passwords

Added by Ewoud Kohl van Wijngaarden about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Ewoud Kohl van Wijngaarden
Category:
Foreman modules
Target version:
Foreman - 3.8.0
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
https://github.com/theforeman/puppet-candlepin/pull/242, https://github.com/theforeman/foreman-installer/pull/886, https://github.com/theforeman/foreman-installer/pull/887, https://github.com/theforeman/foreman-installer/pull/890
Fixed in Releases:
Foreman - 3.8.0
Found in Releases:
Red Hat JIRA:

Description

The file /etc/tomcat/server.xml contains passwords and is world readable. The actual keystore is limited by file permissions, but server.xml should also be limited.

Files

0001-Fixes-36760-Limit-access-to-server.xml.patch 0001-Fixes-36760-Limit-access-to-server.xml.patch 1.13 KB Ewoud Kohl van Wijngaarden, 09/20/2023 09:23 AM
0001-Refs-36760-Reset-candlepin-key-and-truststore.patch 0001-Refs-36760-Reset-candlepin-key-and-truststore.patch 2.24 KB Ewoud Kohl van Wijngaarden, 10/03/2023 03:38 PM
Actions
Copy link
 #2

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

  • Target version set to 3.8.0
Actions
Copy link
 #3

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

  • File 0001-Refs-36760-Reset-candlepin-key-and-truststore.patch added

This is the installer patch that forces the credentials to also be reset. I started on a proper fix (https://github.com/theforeman/puppet-certs/pull/428), but in the interest of time I'm taking this approach now.

Actions
Copy link
 #4

Updated by Eric Helms about 1 year ago

And to be clear, you still need root access to do anythng with the password?

Actions
Copy link
 #5

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

  • File deleted (0001-Refs-36760-Reset-candlepin-key-and-truststore.patch)
Actions
Copy link
 #6

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

Yes. You can verify this:

# ls -l /etc/candlepin/certs/{key,trust}store
-rw-r-----. 1 root tomcat 4687 Oct  3 15:34 /etc/candlepin/certs/keystore
-rw-r-----. 1 root tomcat 4194 Oct  3 15:34 /etc/candlepin/certs/truststore

I also had a mistake in the previous patch. I've now verified it on a nightly box.

Actions
Copy link
 #7

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

  • Subject changed from World readable tomcat server.xml contains passwords to CVE-2023-4886: World readable tomcat server.xml contains passwords
  • Private changed from Yes to No

Embargo has lifted, removing private.

Actions
Copy link
 #8

Updated by The Foreman Bot about 1 year ago

  • Status changed from New to Ready For Testing
  • Assignee set to Ewoud Kohl van Wijngaarden
  • Pull request https://github.com/theforeman/puppet-candlepin/pull/242 added
Actions
Copy link
 #9

Updated by The Foreman Bot about 1 year ago

  • Pull request https://github.com/theforeman/foreman-installer/pull/886 added
Actions
Copy link
 #10

Updated by The Foreman Bot about 1 year ago

  • Pull request https://github.com/theforeman/foreman-installer/pull/887 added
Actions
Copy link
 #11

Updated by The Foreman Bot about 1 year ago

  • Fixed in Releases 3.9.0 added
Actions
Copy link
 #12

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

  • Status changed from Ready For Testing to Closed
Actions
Copy link
 #13

Updated by The Foreman Bot about 1 year ago

  • Pull request https://github.com/theforeman/foreman-installer/pull/890 added
Actions
Copy link
 #14

Updated by Ewoud Kohl van Wijngaarden about 1 year ago

  • Fixed in Releases 3.8.0 added
  • Fixed in Releases deleted (3.9.0)
Actions
Copy link

Also available in: Atom PDF