Does CVE-2013-4480 affect Red Hat Satellite 5.x?

Updated -

Issue

The flaw identified by CVE-2013-4480 (Red Hat Bugzilla 1024614) describes an issue where a user-supplied web query can result in an administrative user being added to the Satellite console. A remote, unprivileged user could use this flaw to gain administrative privileges to the Satellite console.

No public exploit is available, however exploitation does not require specialized knowledge or tools.

Environment

  • Red Hat Satellite 5, all supported versions as well as older versions

Resolution

Updates to correct this issue are available below. Customers are advised to apply them now.

If updating is not possible, the /var/lib/tomcat[56]/webapps/rhn/WEB-INF/struts-config.xml file can be modified manually to include the two necessary checks.

Red Hat Satellite 5.4 and later

1) In the struts-config.xml file, locate the "CreateFirstUserSubmit" section and add the following line after the line:

<set-property property="acls" value="need_first_user()"/>

The modified section should look as follows:

    <action path="/newlogin/CreateFirstUserSubmit"
        name="createSatelliteForm"
        scope="request"
        validate="false"
        input="/WEB-INF/pages/user/create/usercreate.jsp"
        type="com.redhat.rhn.frontend.action.user.CreateUserAction"
        className="com.redhat.rhn.frontend.struts.RhnActionMapping">
      <set-property property="postRequired" value="true" />
      <set-property property="acls" value="need_first_user()"/>
      <forward name="success_sat" path="/YourRhn.do"
               redirect="true"/>
      <forward name="fail-sat" path="/newlogin/CreateFirstUser.do"/>
    </action>

2) In the struts-config.xml file, locate the "CreateSatelliteSubmit" section and add the following line after the line:

<set-property property="acls" value="user_role(org_admin)"/>

The modified section should look as follows:

    <action path="/newlogin/CreateSatelliteSubmit"
        name="createSatelliteForm"
        scope="request"
        validate="false"
        input="/WEB-INF/pages/user/create/usercreate.jsp"
        type="com.redhat.rhn.frontend.action.user.CreateUserAction"
        className="com.redhat.rhn.frontend.struts.RhnActionMapping">
      <set-property property="postRequired" value="true" />
      <set-property property="acls" value="user_role(org_admin)"/>
      <forward name="existorgsuccess" path="/users/ActiveList.do"
               redirect="true"/>
      <forward name="failure" path="/users/CreateUser.do"/>
    </action>

3) The Satellite service must be restarted ("service rhn-satellite restart") for the above changes to take effect.

Red Hat Satellite 5.3, 5.2, and earlier

1) In the struts-config.xml file, locate the "CreateFirstUserSubmit" section and add the following lines after the type="com.redhat.rhn.frontend.action.user.CreateUserAction"> line:

className="com.redhat.rhn.frontend.struts.RhnActionMapping">
<set-property property="acls" value="need_first_user()"/>

Additionally, remove the ' > ' character from the end of the current type="com.redhat.rhn.frontend.action.user.CreateUserAction"> line.

The modified section should look as follows:

    <action path="/newlogin/CreateFirstUserSubmit"
        name="createSatelliteForm"
        scope="request"
        validate="false"
        input="/WEB-INF/pages/user/create/usercreate.jsp"
        type="com.redhat.rhn.frontend.action.user.CreateUserAction"
        className="com.redhat.rhn.frontend.struts.RhnActionMapping">
      <set-property property="acls" value="need_first_user()"/>
      <forward name="success_sat" path="/YourRhn.do"
               redirect="true"/>
      <forward name="fail-sat" path="/newlogin/CreateFirstUser.do"/>
    </action>

2) In the struts-config.xml file, locate the "CreateSatelliteSubmit" section and add the following lines after the type="com.redhat.rhn.frontend.action.user.CreateUserAction"> line:

className="com.redhat.rhn.frontend.struts.RhnActionMapping">
<set-property property="acls" value="user_role(org_admin)"/>

Additionally, remove the ' > ' character from the end of the current type="com.redhat.rhn.frontend.action.user.CreateUserAction"> line.

The modified section should look as follows:

    <action path="/newlogin/CreateSatelliteSubmit"
        name="createSatelliteForm"
        scope="request"
        validate="false"
        input="/WEB-INF/pages/user/create/usercreate.jsp"
        type="com.redhat.rhn.frontend.action.user.CreateUserAction"
        className="com.redhat.rhn.frontend.struts.RhnActionMapping">
      <set-property property="acls" value="user_role(org_admin)"/>
      <forward name="existorgsuccess" path="/users/ActiveList.do"
               redirect="true"/>
      <forward name="failure" path="/users/CreateUser.do"/>
    </action>

3) The Satellite service must be restarted ("service rhn-satellite restart") for the above changes to take effect.

Comments