document CVE-2022-3874 and the fix for it

theforeman · Sep 26, 2023 · 71f58e8 · 71f58e8
1 parent 4f4d28f
commit 71f58e8
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/_includes/manuals/nightly/1.2_release_notes.md b/_includes/manuals/nightly/1.2_release_notes.md
@@ -6,6 +6,16 @@ This section will be updated prior to the next release.
 
 ### Upgrade warnings
 
+#### `ct_command` and `fcct_command` settings replaced with `(fc)ct_location` and `(fc)ct_arguments`
+
+To fix [CVE-2022-3874](/security.html#2022-3874) the settings for the CoreOS and Fedora CoreOS
+transpiler commands were changed to individual settings for the location of the binary and the
+arguments passed to it.
+During the upgrade the location of the binaries will be automatically changed to `/usr/bin/ct`
+and `/usr/bin/fcct`. Setting the binary location to any other path requires changes to
+`settings.yaml`, as different locations are forbidden by default.
+The arguments are automatically migrated from the old settings to the new ones.
+
 ### Deprecations
 
 ### Release Notes

diff --git a/security.md b/security.md
@@ -15,6 +15,7 @@ The policy of the project is to treat all newly reported issues as private, and
 
 All security advisories made for Foreman are listed below with their corresponding [CVE identifier](https://cve.mitre.org/).
 
+* [CVE-2022-3874: OS command injection via ct_command and fcct_command](security.html#2022-3874)
 * [CVE-2021-3584: Remote code execution through Sendmail configuration](security.html#2021-3584)
 * [CVE-2021-20256: BMC controller credential leak via API](security.html#2021-20256)
 * [CVE-2021-20259: Proxmox compute resource password leak](security.html#2021-20259)
@@ -87,6 +88,16 @@ All security advisories made for Foreman are listed below with their correspondi
 
 ### Disclosure details
 
+#### <a id="2022-3874"></a>CVE-2022-3874: OS command injection via ct_command and fcct_command
+
+`ct_command` and `fcct_command` settings, available via Administer - Settings, both accept arbitrary
+strings as the command name and calling CoreOS templates will execute those commands as the user Foreman runs under.
+By default, only Foreman super administrator can access settings.
+
+* Affects Foreman 3.2.0 and higher
+* Fix released in Foreman 3.9.0
+* Redmine issue [#36759](https://projects.theforeman.org/issues/36759)
+
 #### <a id="2021-3584"></a>CVE-2021-3584: Remote code execution through Sendmail configuration
 
 Sendmail location and arguments, available via Administer - Settings, both accept arbitrary strings and pass them into shell.