document CVE-2022-3874 and the fix for it

_includes/manuals/3.8/1.2_release_notes.md

@@ -13,11 +13,21 @@ The parameters still exist and can be specified, but the average user shouldn't
 
 ### Upgrade warnings
 
-### Foreman Redis caching DB changed to 4
+#### Foreman Redis caching DB changed to 4
 
 Since Foreman 3.6 Foreman can be easily configured to use Redis for caching (using `--foreman-rails-cache-store type:redis`).
 Starting Foreman 3.8 this uses DB 4, instead of DB 0, to avoid potential conflicts with other software.
 
+#### `ct_command` and `fcct_command` settings replaced with `(fc)ct_location` and `(fc)ct_arguments`
+
+To fix [CVE-2022-3874](/security.html#2022-3874) the settings for the CoreOS and Fedora CoreOS
+transpiler commands were changed to individual settings for the location of the binary and the
+arguments passed to it.
+During the upgrade the location of the binaries will be automatically changed to `/usr/bin/ct`
+and `/usr/bin/fcct`. Setting the binary location to any other path requires changes to
+`settings.yaml`, as different locations are forbidden by default.
+The arguments are automatically migrated from the old settings to the new ones.
+
 ### Release Notes
 
 ### Release notes for 3.8.0

_includes/manuals/nightly/1.2_release_notes.md

@@ -6,6 +6,16 @@ This section will be updated prior to the next release.
 
 ### Upgrade warnings
 
+#### `ct_command` and `fcct_command` settings replaced with `(fc)ct_location` and `(fc)ct_arguments`
+
+To fix [CVE-2022-3874](/security.html#2022-3874) the settings for the CoreOS and Fedora CoreOS
+transpiler commands were changed to individual settings for the location of the binary and the
+arguments passed to it.
+During the upgrade the location of the binaries will be automatically changed to `/usr/bin/ct`
+and `/usr/bin/fcct`. Setting the binary location to any other path requires changes to
+`settings.yaml`, as different locations are forbidden by default.
+The arguments are automatically migrated from the old settings to the new ones.
+
 ### Deprecations
 
 ### Release Notes

security.md

@@ -15,6 +15,7 @@ The policy of the project is to treat all newly reported issues as private, and
 
 All security advisories made for Foreman are listed below with their corresponding [CVE identifier](https://cve.mitre.org/).
 
+* [CVE-2022-3874: OS command injection via ct_command and fcct_command](security.html#2022-3874)
 * [CVE-2021-3584: Remote code execution through Sendmail configuration](security.html#2021-3584)
 * [CVE-2021-20256: BMC controller credential leak via API](security.html#2021-20256)
 * [CVE-2021-20259: Proxmox compute resource password leak](security.html#2021-20259)
@@ -87,6 +88,16 @@ All security advisories made for Foreman are listed below with their correspondi
 
 ### Disclosure details
 
+#### <a id="2022-3874"></a>CVE-2022-3874: OS command injection via ct_command and fcct_command
+
+`ct_command` and `fcct_command` settings, available via Administer - Settings, both accept arbitrary
+strings as the command name and calling CoreOS templates will execute those commands as the user Foreman runs under.
+By default, only Foreman super administrator can access settings.
+
+* Affects Foreman 3.2.0 and higher
+* Fix released in Foreman 3.8.0
+* Redmine issue [#36759](https://projects.theforeman.org/issues/36759)
+
 #### <a id="2021-3584"></a>CVE-2021-3584: Remote code execution through Sendmail configuration
 
 Sendmail location and arguments, available via Administer - Settings, both accept arbitrary strings and pass them into shell.