Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CVE-2020-14334 to security page #1654

Merged
merged 1 commit into from
Aug 11, 2020
Merged

Add CVE-2020-14334 to security page #1654

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ The policy of the project is to treat all newly reported issues as private, and

All security advisories made for Foreman are listed below with their corresponding [CVE identifier](https://cve.mitre.org/).

* [CVE-2020-14334: World readable cache directory on RPM installs](security.html#2020-14334)
* [CVE-2019-14825: Registry credentials are captured in plain text in dynflow task during repository discovery](security.html#2019-14825)
* [CVE-2019-10198: Information disclosure in foreman tasks plugin](security.html#2019-10198)
* [CVE-2019-3845: Lack of access control around Qpid message broker](security.html#2019-3845)
Expand Down Expand Up @@ -80,6 +81,22 @@ All security advisories made for Foreman are listed below with their correspondi

### Disclosure details

#### <a id="2020-14334"></a>CVE-2020-14334: World readable cache could expose sensitive settigs
Even encrypted settings have their raw values cached. Too permissive mode on cache dir caused, that anyone with access to the hosting system could read this encrypted settings.

*Mitigation:* override `/run/foreman` directory mode to `0750`.
To do so in a manner that survives reboot, update the file `/usr/lib/tmpfiles.d/foreman.conf`.
```
d /run/foreman 0750 foreman foreman -
```
For the change to have effect immediatelly run `systemd-tmpfiles --create`.

lzap marked this conversation as resolved.
Show resolved Hide resolved
In case the system may have been accessed locally by an un-trusted user, it may be prudent to change any secrets stored in the settings, such as OAuth keys or remote execution passwords.

* Affects RPM installations using file cache since Foreman 1.3
* Fix released in Foreman 2.2.0, 2.1.1 and 2.0.2 and higher
* Redmine issue [#30490](https://projects.theforeman.org/issues/30490)

#### <a id="2019-14825"></a>CVE-2019-14825: Registry credentials are captured in plain text in dynflow task during repository discover
A cleartext password storage issue was discovered in Katello. Registry credentials used during container image discovery were inadvertently logged without being masked. This could expose the registry credentials to other privileged users.

Expand Down