Bug #36760
closed
CVE-2023-4886: World readable tomcat server.xml contains passwords
Added by Ewoud Kohl van Wijngaarden 10 months ago.
Updated 9 months ago.
Description
The file /etc/tomcat/server.xml contains passwords and is world readable. The actual keystore is limited by file permissions, but server.xml should also be limited.
Files
- Target version set to 3.8.0
- File 0001-Refs-36760-Reset-candlepin-key-and-truststore.patch added
And to be clear, you still need root access to do anythng with the password?
- File deleted (
0001-Refs-36760-Reset-candlepin-key-and-truststore.patch)
Yes. You can verify this:
# ls -l /etc/candlepin/certs/{key,trust}store
-rw-r-----. 1 root tomcat 4687 Oct 3 15:34 /etc/candlepin/certs/keystore
-rw-r-----. 1 root tomcat 4194 Oct 3 15:34 /etc/candlepin/certs/truststore
I also had a mistake in the previous patch. I've now verified it on a nightly box.
- Subject changed from World readable tomcat server.xml contains passwords to CVE-2023-4886: World readable tomcat server.xml contains passwords
- Private changed from Yes to No
Embargo has lifted, removing private.
- Status changed from New to Ready For Testing
- Assignee set to Ewoud Kohl van Wijngaarden
- Pull request https://github.com/theforeman/puppet-candlepin/pull/242 added
- Pull request https://github.com/theforeman/foreman-installer/pull/886 added
- Pull request https://github.com/theforeman/foreman-installer/pull/887 added
- Fixed in Releases 3.9.0 added
- Status changed from Ready For Testing to Closed
- Pull request https://github.com/theforeman/foreman-installer/pull/890 added
- Fixed in Releases 3.8.0 added
- Fixed in Releases deleted (
3.9.0)
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by