{ "threat_severity" : "Important", "public_date" : "2019-04-09T13:27:00Z", "bugzilla" : { "description" : "katello-installer-base: QMF methods exposed to goferd via qdrouterd", "id" : "1684275", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1684275" }, "cvss3" : { "cvss3_base_score" : "8.0", "cvss3_scoring_vector" : "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-284", "details" : [ "A lack of access control was found in the message queues maintained by Satellite's QPID broker and used by katello-agent in versions before Satellite 6.2, Satellite 6.1 optional and Satellite Capsule 6.1. A malicious user authenticated to a host registered to Satellite (or Capsule) can use this flaw to access QMF methods to any host also registered to Satellite (or Capsule) and execute privileged commands.", "A lack of access control was found in the message queues maintained by Satellite's QPID broker and used by katello-agent. A malicious user authenticated to a host registered to Satellite (or Capsule) can use this flaw to access QMF methods to any host also registered to Satellite (or Capsule) and execute privileged commands." ], "statement" : "On Red Hat Satellite 6.5, the Satellite 6.5 GA release includes a version of katello-installer-base that provides the fixes for this issue.", "acknowledgement" : "This issue was discovered by Pavel Moravec (Red Hat).", "affected_release" : [ { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.1::el6", "package" : "katello-installer-base-0:3.0.0.105-1.el6sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.1::el6", "package" : "libwebsockets-0:2.1.0-3.el6" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.1::el6", "package" : "python-qpid-0:1.35.0-5.el6" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.1::el6", "package" : "qpid-cpp-0:1.36.0-19.el6" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.1::el6", "package" : "qpid-dispatch-0:0.8.0-10.el6" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.1::el6", "package" : "qpid-proton-0:0.16.0-12.el6sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.1::el6", "package" : "satellite-0:6.2.16.1-1.0.el6sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.1::el6", "package" : "tfm-rubygem-foreman_theme_satellite-0:0.1.47.5-1.el6sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.1::el6", "package" : "tfm-rubygem-katello-0:3.0.0.171-1.el6sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.1::el6", "package" : "tfm-rubygem-qpid_messaging-0:1.36.0-6.el6sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.1::el6", "package" : "katello-installer-base-0:3.0.0.105-1.el6sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.1::el6", "package" : "libwebsockets-0:2.1.0-3.el6" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.1::el6", "package" : "python-qpid-0:1.35.0-5.el6" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.1::el6", "package" : "qpid-cpp-0:1.36.0-19.el6" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.1::el6", "package" : "qpid-dispatch-0:0.8.0-10.el6" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.1::el6", "package" : "qpid-proton-0:0.16.0-12.el6sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.1::el6", "package" : "satellite-0:6.2.16.1-1.0.el6sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.1::el6", "package" : "tfm-rubygem-foreman_theme_satellite-0:0.1.47.5-1.el6sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.1::el6", "package" : "tfm-rubygem-katello-0:3.0.0.171-1.el6sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 6", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.1::el6", "package" : "tfm-rubygem-qpid_messaging-0:1.36.0-6.el6sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.2::el7", "package" : "katello-installer-base-0:3.0.0.105-1.el7sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.2::el7", "package" : "libwebsockets-0:2.1.0-3.el7" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.2::el7", "package" : "python-qpid-0:1.35.0-5.el7" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.2::el7", "package" : "qpid-cpp-0:1.36.0-19.el7" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.2::el7", "package" : "qpid-dispatch-0:0.8.0-16.el7sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.2::el7", "package" : "qpid-proton-0:0.16.0-12.el7sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.2::el7", "package" : "satellite-0:6.2.16.1-1.0.el7sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.2::el7", "package" : "tfm-rubygem-foreman_theme_satellite-0:0.1.47.5-1.el7sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.2::el7", "package" : "tfm-rubygem-katello-0:3.0.0.171-1.el7sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite:6.2::el7", "package" : "tfm-rubygem-qpid_messaging-0:1.36.0-6.el7sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.2::el7", "package" : "katello-installer-base-0:3.0.0.105-1.el7sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.2::el7", "package" : "libwebsockets-0:2.1.0-3.el7" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.2::el7", "package" : "python-qpid-0:1.35.0-5.el7" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.2::el7", "package" : "qpid-cpp-0:1.36.0-19.el7" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.2::el7", "package" : "qpid-dispatch-0:0.8.0-16.el7sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.2::el7", "package" : "qpid-proton-0:0.16.0-12.el7sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.2::el7", "package" : "satellite-0:6.2.16.1-1.0.el7sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.2::el7", "package" : "tfm-rubygem-foreman_theme_satellite-0:0.1.47.5-1.el7sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.2::el7", "package" : "tfm-rubygem-katello-0:3.0.0.171-1.el7sat" }, { "product_name" : "Red Hat Satellite 6.2 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0734", "cpe" : "cpe:/a:redhat:satellite_capsule:6.2::el7", "package" : "tfm-rubygem-qpid_messaging-0:1.36.0-6.el7sat" }, { "product_name" : "Red Hat Satellite 6.3 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0733", "cpe" : "cpe:/a:redhat:satellite:6.3::el7", "package" : "katello-installer-base-0:3.4.5.35-1.el7sat" }, { "product_name" : "Red Hat Satellite 6.3 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0733", "cpe" : "cpe:/a:redhat:satellite:6.3::el7", "package" : "satellite-0:6.3.5.1-1.el7sat" }, { "product_name" : "Red Hat Satellite 6.3 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0733", "cpe" : "cpe:/a:redhat:satellite_capsule:6.3::el7", "package" : "katello-installer-base-0:3.4.5.35-1.el7sat" }, { "product_name" : "Red Hat Satellite 6.3 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0733", "cpe" : "cpe:/a:redhat:satellite_capsule:6.3::el7", "package" : "satellite-0:6.3.5.1-1.el7sat" }, { "product_name" : "Red Hat Satellite 6.4 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0735", "cpe" : "cpe:/a:redhat:satellite:6.4::el7", "package" : "katello-installer-base-0:3.7.0.19-1.el7sat" }, { "product_name" : "Red Hat Satellite 6.4 for RHEL 7", "release_date" : "2019-04-09T00:00:00Z", "advisory" : "RHSA-2019:0735", "cpe" : "cpe:/a:redhat:satellite_capsule:6.4::el7", "package" : "katello-installer-base-0:3.7.0.19-1.el7sat" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-3845\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-3845" ], "name" : "CVE-2019-3845", "mitigation" : { "value" : "On Satellite Server follow the instructions below:\n* Modify /etc/qpid/qpidd.conf to add this line:\nacl-file=qpid_acls.acl\n* Create a new file: /var/lib/qpidd/.qpidd/qpid_acls.acl with content:\nacl allow katello_agent@QPID create queue\nacl allow katello_agent@QPID consume queue\nacl allow katello_agent@QPID access exchange\nacl allow katello_agent@QPID access queue\nacl allow katello_agent@QPID publish exchange routingkey=pulp.task\nacl allow katello_agent@QPID publish exchange name=qmf.default.direct\nacl allow katello_agent@QPID access method name=create\nacl deny-log katello_agent@QPID access method name=*\nacl deny-log katello_agent@QPID all all\n# allow anything else\nacl allow all all\n* As root, execute the command:\n# systemctl restart qpidd\n* In /etc/qpid-dispatch/qdrouterd.conf modify the connector:\nconnector {\nname: broker\nhost: localhost\nport: 5671\nsasl-mechanisms: PLAIN\nsasl-username: katello_agent\nsasl-password: katello_agent\nrole: route-container\nssl-profile: client\nidle-timeout-seconds: 0\n}\n* As root, execute the command:\n# systemctl restart qdrouterd\nThese ACLs will prevent clients to redirect or move messages to various queues which is the nature of the CVE.\nAll other behavior will be unchanged (acl allow all all) which is the current baseline.", "lang" : "en:us" }, "csaw" : false }