Bug 1204543 - (CVE-2022-31255) VUL-0: CVE-2022-31255: SUMA/UYUNI directory path traversal vulnerability in CobblerSnipperViewAction
(CVE-2022-31255)
VUL-0: CVE-2022-31255: SUMA/UYUNI directory path traversal vulnerability in C...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Normal
: ---
Assigned To: Kevin Walter
Security Team bot
CVSSv3.1:SUSE:CVE-2020-29411:5.0:(AV:...
:
Depends on:
Blocks: 1201713
  Show dependency treegraph
 
Reported: 2022-10-20 13:49 UTC by Paolo Perego
Modified: 2022-11-04 17:39 UTC (History)
11 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
The exploited vulnerability showing /etc/passwd file content (287.94 KB, image/png)
2022-10-20 13:50 UTC, Paolo Perego
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Paolo Perego 2022-10-20 13:49:18 UTC
During a SUMA/UYUNI audit, a directory path traversal vulnerability has been found. 

When viewing cobbler autoinstallation snippet, it is possible to evade from /var/lib/cobbler/snippet path using the "path" request parameter and accessing files outside the webserver root directory.

On a default installation, tomcat is running as a non-privileged user process, so the impact on the file system confidentiality is for files viewable by tomcat user, for groups www, susemanager and tomcat and for files viewable by anyone.

To exploit this vulnerability there is no need for a particular script but an authenticated SUMA session is needed.
Comment 2 Paolo Perego 2022-10-20 13:52:18 UTC
CRD: 2022-11-03 15.00 UTC
Comment 5 Paolo Perego 2022-10-20 14:00:36 UTC
The vulnerability is in class com.redhat.rhn.frontend.action.kickstart.cobbler.CobblerSnipperViewAction reads “path” parameter from URL and then pass it to a File() class (line 51).

The parameter is used to load a com.redhat.rhn.domain.kickstart.cobbler.CobblerSnippet object.

As a suggested mitigation some regex control can be done to make sure no file is loaded outside /var/lib/cobbler/snippets
Comment 11 Paolo Perego 2022-10-20 16:25:11 UTC
After an internal brainstorm with Johannes, I re-calculated CVSS score assigning a value of 5

https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:H

Since tomcat is running as low priv user process by default give us a pretty solid posture over critical system-wide files.

However consider that with this, a user can disclose constant and password at application level.
Comment 17 Paolo Perego 2022-10-21 11:29:32 UTC
CRD: 2022-11-04 15.00 UTC
Comment 20 Johannes Segitz 2022-10-24 15:12:14 UTC
Please use CVE-2022-31255
Comment 25 Paolo Perego 2022-11-04 16:13:01 UTC
Fixed versions: SUMA 4.3.2, 4.2.10 and Uyuni-2022.10
Comment 26 Swamp Workflow Management 2022-11-04 17:30:09 UTC
SUSE-SU-2022:3880-1: An update that fixes three vulnerabilities is now available.

Category: security (critical)
Bug References: 1204543,1204716,1204741
CVE References: CVE-2022-31255,CVE-2022-43753,CVE-2022-43754
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src):    spacewalk-java-4.3.39-150400.3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2022-11-04 17:32:28 UTC
SUSE-SU-2022:3878-1: An update that solves three vulnerabilities and has 18 fixes is now available.

Category: security (critical)
Bug References: 1195624,1197724,1199726,1200596,1201059,1201788,1202167,1202729,1202785,1203283,1203406,1203422,1203564,1203599,1203611,1203898,1204146,1204203,1204543,1204716,1204741
CVE References: CVE-2022-31255,CVE-2022-43753,CVE-2022-43754
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    hub-xmlrpc-api-0.7-150300.3.9.2, inter-server-sync-0.2.4-150300.8.25.2, locale-formula-0.3-150300.3.3.2, py27-compat-salt-3000.3-150300.7.7.26.2, python-urlgrabber-3.10.2.1py2_3-150300.3.3.2, spacecmd-4.2.20-150300.4.30.2, spacewalk-backend-4.2.25-150300.4.32.4, spacewalk-client-tools-4.2.21-150300.4.27.3, spacewalk-java-4.2.43-150300.3.48.2, spacewalk-utils-4.2.18-150300.3.21.2, spacewalk-web-4.2.30-150300.3.30.3, susemanager-4.2.38-150300.3.44.3, susemanager-doc-indexes-4.2-150300.12.36.3, susemanager-docs_en-4.2-150300.12.36.2, susemanager-schema-4.2.25-150300.3.30.3, susemanager-sls-4.2.28-150300.3.36.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2022-11-04 17:39:20 UTC
SUSE-SU-2022:3879-1: An update that solves three vulnerabilities and has 18 fixes is now available.

Category: security (critical)
Bug References: 1195624,1197724,1199726,1200596,1201059,1201788,1202167,1202729,1202785,1203283,1203406,1203422,1203564,1203599,1203611,1203898,1204146,1204203,1204543,1204716,1204741
CVE References: CVE-2022-31255,CVE-2022-43753,CVE-2022-43754
JIRA References: 
Sources used:
SUSE Manager Server 4.2 (src):    release-notes-susemanager-4.2.10-150300.3.57.1
SUSE Manager Retail Branch Server 4.2 (src):    release-notes-susemanager-proxy-4.2.10-150300.3.46.1
SUSE Manager Proxy 4.2 (src):    release-notes-susemanager-proxy-4.2.10-150300.3.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.