Bug 1074594 (CVE-2017-1000469)

Summary: VUL-0: CVE-2017-1000469: cobbler: command injection vulnerability in the "add repo" component
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, pablo.suarezhernandez, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/197573/
Whiteboard: CVSSv2:NVD:CVE-2017-1000469:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv3:SUSE:CVE-2017-1000469:6.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) CVSSv3:RedHat:CVE-2017-1000469:8.8:(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2018-01-04 08:15:39 UTC
CVE-2017-1000469

Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability
in the "add repo" component resulting in arbitrary code execution as root user.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000469
https://github.com/cobbler/cobbler/issues/1845
Comment 5 Pablo Suárez Hernández 2018-04-26 13:04:05 UTC
I've created a fix to escape the parameters provided by the user to generate the shell command which is executed during the "cobbler reposync" run. That way, we prevent from executing the malicious shell code that might be injected in variables set by the user while creating the repo.

Upstream cobbler PR: https://github.com/cobbler/cobbler/pull/1889
"systemsmanagement/cobbler": https://build.opensuse.org/request/show/601548

Closing this as RESOLVED/FIXED since SR to "systemsmanagement/cobbler" has been accepted. Thanks
Comment 6 Johannes Segitz 2018-04-26 15:14:17 UTC
(In reply to Pablo Suárez Hernández from comment #5)
Please don't close security issues. Assign them to security-team@suse.de once you're done. 

Before we can close this we need maintenance submissions to SUSE:SLE-12:Update and SUSE:SLE-12-SP2:Update:Products:Manager31:Update, please.
Comment 8 Pablo Suárez Hernández 2018-04-26 16:47:54 UTC
I've created the following maintenance requests:

MR to "SUSE:SLE-12:Update": https://build.suse.de/request/show/163065
MR to "SUSE:SLE-12-SP2:Update:Products:Manager31:Update": https://build.suse.de/request/show/163066

Setting back the assignee to "security-team@suse.de" as requested MR has been created.

BTW, we also have cobbler version 2.2.2 on "Devel:Galaxy:Manager:3.1:SLE11-SUSE-Manager-Tools" and "Devel:Galaxy:Manager:3.1:RES6-SUSE-Manager-Tools" projects which are used to provide the "koan" package to the SUSE Manager client tools (but not cobbler IIUC). Do we need to create SR/MR also there?

Thanks for the support!
Comment 9 Johannes Segitz 2018-05-02 12:38:10 UTC
(In reply to Pablo Suárez Hernández from comment #8)
Thank you. 

For the devel projects we don't track this, but we should either submit there too or bump to a newer version that has the fix.
Comment 10 Pablo Suárez Hernández 2018-05-03 13:10:22 UTC
(In reply to Johannes Segitz from comment #9)
> For the devel projects we don't track this, but we should either submit
> there too or bump to a newer version that has the fix.

SR to "Devel:Galaxy:Manager:Head:SLE11-SUSE-Manager-Tools" accepted:  https://build.suse.de/request/show/164282

Since for SLE11 and RES6 Manager tools we only ship the cobbler src package, we decided to not create MR but include this fix as part of the next maintenance update starting the next week.
Comment 13 Swamp Workflow Management 2018-06-19 19:08:30 UTC
SUSE-SU-2018:1736-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (moderate)
Bug References: 1074594,1075014,1081714,1090205
CVE References: CVE-2017-1000469
Sources used:
SUSE OpenStack Cloud 8 (src):    cobbler-2.6.6-49.9.1
SUSE Manager Tools 12 (src):    cobbler-2.6.6-49.9.1
SUSE Manager Server 3.0 (src):    cobbler-2.6.6-49.9.1
HPE Helion OpenStack 8 (src):    cobbler-2.6.6-49.9.1
Comment 14 Swamp Workflow Management 2018-06-19 19:16:08 UTC
SUSE-SU-2018:1741-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1074594,1090205
CVE References: CVE-2017-1000469
Sources used:
SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (src):    cobbler-2.2.2-0.68.3.1
SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (src):    cobbler-2.2.2-0.68.3.1
Comment 15 Swamp Workflow Management 2018-06-19 19:22:02 UTC
SUSE-SU-2018:1751-1: An update that solves two vulnerabilities and has 41 fixes is now available.

Category: security (moderate)
Bug References: 1073267,1074594,1075466,1080474,1081714,1082796,1083278,1083513,1084679,1085044,1085471,1085650,1085838,1087055,1087071,1087840,1088667,1088861,1089103,1089396,1089401,1089468,1090040,1090059,1090205,1090221,1090395,1090400,1090401,1090585,1091052,1091091,1091667,1091840,1091855,1092161,1092194,1092275,1092383,1092492,1095231,1095569,1096714
CVE References: CVE-2014-5326,CVE-2017-1000469
Sources used:
SUSE Manager Server 3.1 (src):    cobbler-2.6.6-5.10.4, google-gson-2.8.2-3.3.6, patterns-suse-manager-3.1-3.3.2, prometheus-client-java-0.3.0-1.3.5, py26-compat-salt-2016.11.4-1.7.2, salt-netapi-client-0.14.0-3.9.5, spacewalk-backend-2.7.73.13-2.19.5, spacewalk-branding-2.7.2.13-2.19.5, spacewalk-certs-tools-2.7.0.10-2.12.4, spacewalk-java-2.7.46.14-2.25.1, spacewalk-utils-2.7.10.7-2.10.4, spacewalk-web-2.7.1.16-2.19.5, susemanager-3.1.14-2.19.5, susemanager-docs_en-3.1-10.20.7, susemanager-frontend-libs-3.1.1-3.3.2, susemanager-schema-3.1.17-2.23.3, susemanager-sls-3.1.17-2.23.2, susemanager-sync-data-3.1.14-2.23.2, susemanager-tftpsync-3.1.3-3.6.2
Comment 16 Swamp Workflow Management 2018-06-21 10:08:05 UTC
openSUSE-SU-2018:1770-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (moderate)
Bug References: 1074594,1075014,1081714,1090205
CVE References: CVE-2017-1000469
Sources used:
openSUSE Leap 42.3 (src):    cobbler-2.6.6-14.1
Comment 18 Marcus Meissner 2019-01-08 07:21:36 UTC
released
Comment 19 OBSbugzilla Bot 2020-11-25 12:40:23 UTC
This is an autogenerated message for OBS integration:
This bug (1074594) was mentioned in
https://build.opensuse.org/request/show/850700 15.2 / cobbler
Comment 20 Swamp Workflow Management 2021-01-11 14:18:08 UTC
openSUSE-SU-2021:0046-1: An update that solves 6 vulnerabilities and has 58 fixes is now available.

Category: security (moderate)
Bug References: 1020376,1029276,1048183,1074594,1075014,1081714,1081739,1090205,1097733,1101670,1104189,1104190,1104287,1105440,1105442,1113747,1128754,1128926,1130658,1134588,1149075,1151875,1156574,1159010,1169207,1169553,1169779,1170462,660126,671212,672471,682665,687891,695955,714618,722443,722445,757062,763610,783671,790545,796773,811025,812948,842699,846580,869371,884051,924118,952844,956264,966622,966841,967523,968406,969538,969541,973413,973418,976826,980577,984998,986978,988889
CVE References: CVE-2011-4953,CVE-2012-2395,CVE-2017-1000469,CVE-2018-1000225,CVE-2018-1000226,CVE-2018-10931
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    cobbler-3.1.2-lp152.6.3.1
Comment 21 Swamp Workflow Management 2021-01-14 20:18:15 UTC
openSUSE-SU-2021:0058-1: An update that solves 6 vulnerabilities and has 58 fixes is now available.

Category: security (moderate)
Bug References: 1020376,1029276,1048183,1074594,1075014,1081714,1081739,1090205,1097733,1101670,1104189,1104190,1104287,1105440,1105442,1113747,1128754,1128926,1130658,1134588,1149075,1151875,1156574,1159010,1169207,1169553,1169779,1170462,660126,671212,672471,682665,687891,695955,714618,722443,722445,757062,763610,783671,790545,796773,811025,812948,842699,846580,869371,884051,924118,952844,956264,966622,966841,967523,968406,969538,969541,973413,973418,976826,980577,984998,986978,988889
CVE References: CVE-2011-4953,CVE-2012-2395,CVE-2017-1000469,CVE-2018-1000225,CVE-2018-1000226,CVE-2018-10931
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    cobbler-3.1.2-bp152.4.3.1