Does CVE-2013-4480 affect Red Hat Satellite 5.x?

Updated -

Issue

The flaw identified by CVE-2013-4480 (Red Hat Bugzilla 1024614) describes an issue where a user-supplied web query can result in an administrative user being added to the Satellite console. A remote, unprivileged user could use this flaw to gain administrative privileges to the Satellite console.

No public exploit is available, however exploitation does not require specialized knowledge or tools.

Environment

  • Red Hat Satellite 5, all supported versions as well as older versions

Resolution

Updates to correct this issue are available below. Customers are advised to apply them now.

If updating is not possible, the /var/lib/tomcat[56]/webapps/rhn/WEB-INF/struts-config.xml file can be modified manually to include the two necessary checks.

Red Hat Satellite 5.4 and later

1) In the struts-config.xml file, locate the "CreateFirstUserSubmit" section and add the following line after the line:

<set-property property="acls" value="need_first_user()"/>

The modified section should look as follows:

    <action path="/newlogin/CreateFirstUserSubmit"
        name="createSatelliteForm"
        scope="request"
        validate="false"
        input="/WEB-INF/pages/user/create/usercreate.jsp"
        type="com.redhat.rhn.frontend.action.user.CreateUserAction"
        className="com.redhat.rhn.frontend.struts.RhnActionMapping">
      <set-property property="postRequired" value="true" />
      <set-property property="acls" value="need_first_user()"/>
      <forward name="success_sat" path="/YourRhn.do"
               redirect="true"/>
      <forward name="fail-sat" path="/newlogin/CreateFirstUser.do"/>
    </action>

2) In the struts-config.xml file, locate the "CreateSatelliteSubmit" section and add the following line after the line:

<set-property property="acls" value="user_role(org_admin)"/>

The modified section should look as follows:

    <action path="/newlogin/CreateSatelliteSubmit"
        name="createSatelliteForm"
        scope="request"
        validate="false"
        input="/WEB-INF/pages/user/create/usercreate.jsp"
        type="com.redhat.rhn.frontend.action.user.CreateUserAction"
        className="com.redhat.rhn.frontend.struts.RhnActionMapping">
      <set-property property="postRequired" value="true" />
      <set-property property="acls" value="user_role(org_admin)"/>
      <forward name="existorgsuccess" path="/users/ActiveList.do"
               redirect="true"/>
      <forward name="failure" path="/users/CreateUser.do"/>
    </action>

3) The Satellite service must be restarted ("service rhn-satellite restart") for the above changes to take effect.

Red Hat Satellite 5.3, 5.2, and earlier

1) In the struts-config.xml file, locate the "CreateFirstUserSubmit" section and add the following lines after the type="com.redhat.rhn.frontend.action.user.CreateUserAction"> line:

className="com.redhat.rhn.frontend.struts.RhnActionMapping">
<set-property property="acls" value="need_first_user()"/>

Additionally, remove the ' > ' character from the end of the current type="com.redhat.rhn.frontend.action.user.CreateUserAction"> line.

The modified section should look as follows:

    <action path="/newlogin/CreateFirstUserSubmit"
        name="createSatelliteForm"
        scope="request"
        validate="false"
        input="/WEB-INF/pages/user/create/usercreate.jsp"
        type="com.redhat.rhn.frontend.action.user.CreateUserAction"
        className="com.redhat.rhn.frontend.struts.RhnActionMapping">
      <set-property property="acls" value="need_first_user()"/>
      <forward name="success_sat" path="/YourRhn.do"
               redirect="true"/>
      <forward name="fail-sat" path="/newlogin/CreateFirstUser.do"/>
    </action>

2) In the struts-config.xml file, locate the "CreateSatelliteSubmit" section and add the following lines after the type="com.redhat.rhn.frontend.action.user.CreateUserAction"> line:

className="com.redhat.rhn.frontend.struts.RhnActionMapping">
<set-property property="acls" value="user_role(org_admin)"/>

Additionally, remove the ' > ' character from the end of the current type="com.redhat.rhn.frontend.action.user.CreateUserAction"> line.

The modified section should look as follows:

    <action path="/newlogin/CreateSatelliteSubmit"
        name="createSatelliteForm"
        scope="request"
        validate="false"
        input="/WEB-INF/pages/user/create/usercreate.jsp"
        type="com.redhat.rhn.frontend.action.user.CreateUserAction"
        className="com.redhat.rhn.frontend.struts.RhnActionMapping">
      <set-property property="acls" value="user_role(org_admin)"/>
      <forward name="existorgsuccess" path="/users/ActiveList.do"
               redirect="true"/>
      <forward name="failure" path="/users/CreateUser.do"/>
    </action>

3) The Satellite service must be restarted ("service rhn-satellite restart") for the above changes to take effect.

2 Comments

Hello,

My /var/lib/tomcat5/webapps/rhn/WEB-INF/struts-config.xml file does not match what the instructions say to do.

The value="need_first_user()" is in the CreateFirstUser action, not the CreateFirstUserSubmit action. Should I just add it to CreateFirstUserSubmit?

Then, the CreateSatelliteSubmit does not have the "acls" line. Should I just add that as well? Thank you.

<action path="/newlogin/CreateFirstUser"
        name="createSatelliteForm"
        scope="request"
        validate="false"
        type="com.redhat.rhn.frontend.action.user.CreateUserSetupAction"
        className="com.redhat.rhn.frontend.struts.RhnActionMapping">
      <set-property property="acls"
                    value="need_first_user()"/>
      <forward name="default" path="/WEB-INF/pages/user/create/createsatellite.jsp" />
    </action>

    <action path="/newlogin/CreateFirstUserSubmit"
        name="createSatelliteForm"
        scope="request"
        validate="false"
        input="/WEB-INF/pages/user/create/usercreate.jsp"
        type="com.redhat.rhn.frontend.action.user.CreateUserAction"
        className="com.redhat.rhn.frontend.struts.RhnActionMapping">
      <set-property property="postRequired" value="true" />
      <forward name="success_sat" path="/YourRhn.do"
               redirect="true"/>
      <forward name="fail-sat" path="/newlogin/CreateFirstUser.do"/>
    </action>

    <action path="/newlogin/CreateSatelliteSubmit"
        name="createSatelliteForm"
        scope="request"
        validate="false"
        input="/WEB-INF/pages/user/create/usercreate.jsp"
        type="com.redhat.rhn.frontend.action.user.CreateUserAction"
        className="com.redhat.rhn.frontend.struts.RhnActionMapping">
      <set-property property="postRequired" value="true" />
      <forward name="existorgsuccess" path="/users/ActiveList.do"
               redirect="true"/>
      <forward name="failure" path="/users/CreateUser.do"/>
    </action>

Hi Joseph Martin - please - open a support ticket if this is not clear to you.

This knowledgebase article describes how to manually fix a Satellite. If you are running 5.2 or newer, we released Errata which can be applied, to address the issue.

Sat 5.2 - https://rhn.redhat.com/errata/RHSA-2013-1513.html

Sat 5.3, 5.4, 5.5, 5.6 - https://rhn.redhat.com/errata/RHSA-2013-1514.html

The copy/paste provided indicates that your system is not been patched. I recommend to either apply the Errata, or manually apply, or to contact Support for assistance.

If you are not able to install the new RPMs from the Errata, then follow the text within this knowledgebase article for section - "Red Hat Satellite 5.4 and later". This will add need_first_user() to CreateFirstUserSubmit AND add user_role(org_admin) to CreateSatelliteSubmit.

Regards,
Cliff