Bug 1008050 - (CVE-2016-9013) VUL-1: CVE-2016-9013: python-django: user with hardcoded password created when running tests on Oracle
(CVE-2016-9013)
VUL-1: CVE-2016-9013: python-django: user with hardcoded password created whe...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/174313/
CVSSv2:SUSE:CVE-2016-9013:4.0:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-02 09:51 UTC by Sebastian Krahmer
Modified: 2021-08-31 15:43 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2016-11-02 09:51:30 UTC
Quoting RH-BZ:

The following flaw was reported in Django:

When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn't manually specified in the database settings 'TEST' dictionary, a hardcoded password is used. This could allow an attacker with network access to the database server to connect.

This user is usually dropped after the test suite completes, but not when using the 'manage.py test --keepdb' option or if the user has an active session (such as an attacker's connection).

A randomly generated password is now used for each test run.

rh#1389414


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1389414
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9013
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9013.html
Comment 1 Swamp Workflow Management 2016-11-02 23:00:25 UTC
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2018-03-22 10:10:14 UTC
This is an autogenerated message for OBS integration:
This bug (1008050) was mentioned in
https://build.opensuse.org/request/show/589964 42.3 / python-Django
Comment 3 Swamp Workflow Management 2018-03-23 21:30:12 UTC
This is an autogenerated message for OBS integration:
This bug (1008050) was mentioned in
https://build.opensuse.org/request/show/590768 42.3 / python3-Django
Comment 4 Swamp Workflow Management 2018-03-27 10:08:26 UTC
openSUSE-SU-2018:0824-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305,967999,968000
CVE References: CVE-2016-2048,CVE-2016-2512,CVE-2016-2513,CVE-2016-6186,CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537
Sources used:
openSUSE Leap 42.3 (src):    python3-Django-1.8.19-5.3.1
Comment 5 Swamp Workflow Management 2018-03-27 10:10:53 UTC
openSUSE-SU-2018:0826-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305,967999,968000
CVE References: CVE-2016-2048,CVE-2016-2512,CVE-2016-2513,CVE-2016-6186,CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537
Sources used:
openSUSE Leap 42.3 (src):    python-Django-1.8.19-6.4.1
Comment 6 Swamp Workflow Management 2018-04-18 10:12:26 UTC
SUSE-SU-2018:0973-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305
CVE References: CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537
Sources used:
SUSE OpenStack Cloud 7 (src):    python-Django-1.8.19-3.4.1
Comment 7 Swamp Workflow Management 2018-04-27 19:09:48 UTC
SUSE-SU-2018:1102-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1001374,1008047,1008050,1031450,1031451,1056284,1083304,1083305,967999
CVE References: CVE-2016-2512,CVE-2016-7401,CVE-2016-9013,CVE-2016-9014,CVE-2017-12794,CVE-2017-7233,CVE-2017-7234,CVE-2018-7536,CVE-2018-7537
Sources used:
SUSE OpenStack Cloud 6 (src):    python-Django-1.8.19-3.6.1
Comment 10 Tim Serong 2020-05-12 04:23:48 UTC
SES5 ships Django 1.6.  The oldest patch for this issue is for Django 1.8 (https://github.com/django/django/commit/70f99952965a430daf69eeb9947079aae535d2d0), and that doesn't apply at all cleanly to Django 1.6.

It *might* be enough to do something like this:

--- creation.py.orig	2020-05-12 14:19:49.446408680 +1000
+++ creation.py	2020-05-12 14:20:25.850062144 +1000
@@ -4,9 +4,10 @@
 from django.conf import settings
 from django.db.backends.creation import BaseDatabaseCreation
 from django.utils.six.moves import input
+from django.utils.crypto import get_random_string
 
 TEST_DATABASE_PREFIX = 'test_'
-PASSWORD = 'Im_a_lumberjack'
+PASSWORD = get_random_string(length=30)
 
 class DatabaseCreation(BaseDatabaseCreation):
     # This dictionary maps Field objects to their associated Oracle column

At least, this would get rid of the hard-coded password, but I'm not sure if there's other implications, e.g.: is the "ALTER USER" thing in the _create_test_user() function necessary?  I don't know, I'm not familiar enough with how this database creation stuff works :-/

Do we really need to take this for SES5?  Django there is only used by openATTIC and I'd be amazed if anyone anywhere will ever 1) configure this with an Oracle database, and 2) also run the tests and hit the problem.
Comment 12 Marcus Meissner 2021-08-31 15:43:26 UTC
closing