Bug 902182 (CVE-2014-3654) - VUL-0: CVE-2014-3654: various XSS in SUSE Manager / cobbler
Summary: VUL-0: CVE-2014-3654: various XSS in SUSE Manager / cobbler
Status: RESOLVED FIXED
Alias: CVE-2014-3654
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Deadline: 2014-11-19
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp2:59503 maint:...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-22 07:07 UTC by Thomas Biege
Modified: 2015-03-27 02:45 UTC (History)
11 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
cobbler.patch (6.60 KB, patch)
2014-10-22 07:07 UTC, Thomas Biege 		Details | Diff
sort-attributes.patch (4.83 KB, patch)
2014-10-22 07:08 UTC, Thomas Biege 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2014-10-22 07:07:34 UTC 
Created attachment 610906 [details]
cobbler.patch

Hello Klaus,
I assigned it to you to assign the bug to the right people in your team.

We received this email from Red Hat:

So this is CVE-2014-3654, going out October 30th, patches attached.

Stored cross-site scripting in /rhn/kickstart/cobbler/CustomSnippetList.do

Reflected cross-site scripting in /rhn/channels/software/Entitlements.do

Reflected cross-site scripting in /rhn/admin/multiorg/OrgUsers.do (note:
these are in a POST request of a CSRF-protected page, so this is likely
only self-XSS)

Details:

Stored cross-site scripting on
/rhn/kickstart/cobbler/CustomSnippetList.do using the name parameter of
a "snippit"
-
Example: setting the name to: testabc" onclick="alert(1)
-
This will execute when trying to view, delete, etc. (as far as I can
tell, it becomes impossible to delete)
- This is the one place in the application where something is indexed
by a name, not its id, which causes all kinds of problems with
viewing/deleting/etc when an attacker slips in HTML characters

=======
Reflected cross-site scripting in /rhn/channels/software/Entitlements.do
-
list_1154021400_sortby=test%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3E
-
list_1154021400_sortdir=test%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3E

=======
Reflected cross-site scripting in /rhn/admin/multiorg/OrgUsers.do (note:
these are in a POST request of a CSRF-protected page, so this is likely
only self-XSS)
-
list_1116155735_sortby="><script>alert(1)<%2fscript>
list_1116155735_sortdir="><script>alert(1)<%2fscript>



-- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Comment 1 Thomas Biege 2014-10-22 07:08:22 UTC 
Created attachment 610907 [details]
sort-attributes.patch
Comment 2 Thomas Biege 2014-10-22 07:08:56 UTC 
CRD: 2014-10-30
Comment 3 Michael Calmer 2014-10-27 15:03:21 UTC 
preparing packages for 1.7 and 2.1
Comment 4 Michael Calmer 2014-10-27 15:34:08 UTC 
Packages submitted:

--------------------------------------------------------------------------

Manager 2.1:
spacewalk-java: only the security fixes

--------------------------------------------------------------------------

Manager 1.7 (incl. the old one from the last time which is not yet released):
spacewalk-branding:
- version 1.7.1.12-1
- End-user documentation clarification for CVE Audit (bnc#899266)

spacewalk-java:
- version 1.7.54.33-1
- fix various XSS issues CVE-2014-3654 (bsc#902182)
- fix CVE Audit when some packages of a patch are already installed
  (bnc#899266)
- fix XSS flaws - CVE-2014-3595 (bnc#896012)

------------------------------------------------------------------------------

Commited to git:
Manager-1.7: 
- d93391cee88a1f5ef249c5479af64a0c186bedf6
- 8977d1215e4f207ee4cb9e19c812e5d23e1bd869

Manager-2.1:
- 9c0c256c9c168b699b8bf63b73582d43ae41c1d7
- a01e2adfea7cb104fd0050dbb65768b1fed3e118

Manager:
- a9ceb529b9199b5984ba804f16e2cbc6339bde70
- a88dca4f26b98c392e5e1e0d0141a1f50827642d

Re-assign to security-team for writing patchinfo and tracking.
Comment 5 Victor Pereira 2014-10-30 15:07:47 UTC 
the issue is public now
Comment 6 Swamp Workflow Management 2014-10-31 17:05:31 UTC 
SUSE-SU-2014:1339-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 896012,902182
CVE References: CVE-2014-3595,CVE-2014-3654
Sources used:
SUSE Manager 1.7 for SLE 11 SP2 (src):    spacewalk-java-1.7.54.33-0.5.1
Comment 7 Swamp Workflow Management 2014-10-31 17:06:57 UTC 
SUSE-SU-2014:1342-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 902182
CVE References: CVE-2014-3654
Sources used:
SUSE Manager Server (src):    spacewalk-java-2.1.165.6-0.13.1
Comment 8 Swamp Workflow Management 2014-11-05 20:40:05 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-11-19.
https://swamp.suse.de/webswamp/wf/59584
Comment 9 Marcus Meissner 2015-03-05 08:06:27 UTC 
released I thik
Comment 10 Swamp Workflow Management 2015-03-26 19:19:28 UTC 
SUSE-RU-2015:0611-1: An update that solves 8 vulnerabilities and has 123 fixes is now available.

Category: recommended (important)
Bug References: 653265,767279,808947,841731,855389,858971,860299,862408,867836,870159,872029,872298,872351,875231,875452,878550,878553,879904,879992,879998,880001,880022,880026,880027,880081,880087,880327,880388,880936,881111,881225,881522,881711,882468,883009,883057,883379,883487,884051,884081,884350,884366,885889,886391,886421,887538,887879,889363,889605,889721,889739,889905,892707,892711,893608,895001,895961,896029,896109,896238,896244,896254,896844,897723,898242,898426,898428,899266,900956,901058,901108,901193,901675,901776,901927,901928,901958,902182,902373,902494,902503,902915,903064,903720,903723,903880,903961,904690,904699,904703,904732,904841,904959,905072,905263,905530,906850,906851,906887,907086,907106,907337,907527,907586,907643,907645,907646,907677,907809,908317,908320,908849,909724,910243,910482,910494,911166,911180,911272,911808,912035,912057,912886,913215,913221,913939,914260,914437,914900,915140,919448
CVE References: CVE-2014-0114,CVE-2014-0240,CVE-2014-0242,CVE-2014-3654,CVE-2014-7811,CVE-2014-7812,CVE-2014-8583,CVE-2014-9130
Sources used:
SUSE Manager Server (src):    apache2-mod_wsgi-3.3-5.7.17, auditlog-keeper-0.2.3+git.1417708457.eabd1a9-0.7.58, cobbler-2.2.2-0.54.9, google-gson-2.2.4-0.7.52, libyaml-0.1.3-0.10.16.11, oracle-config-1.1-0.10.10.16, osad-5.11.33.7-0.7.16, perl-Class-Singleton-1.4-4.13.38, perl-NOCpulse-Object-1.26.13.2-0.7.13, perl-Satcon-1.20.2-0.7.6, postgresql91-9.1.15-0.3.1, pxe-default-image-0.1-0.20.56, python-enum34-1.0-0.7.33, python-gzipstream-1.10.2.2-0.7.6, rhn-custom-info-5.4.22.6-0.7.13, rhnlib-2.5.69.6-0.7.6, rhnmd-5.3.18.4-0.7.15, rhnpush-5.5.71.7-0.7.16, sm-ncc-sync-data-2.1.9-0.7.6, smdba-1.5.1-0.7.6, spacecmd-2.1.25.7-0.7.9, spacewalk-admin-2.1.2.4-0.7.6, spacewalk-backend-2.1.55.15-0.7.11, spacewalk-branding-2.1.33.10-0.7.16, spacewalk-certs-tools-2.1.6.5-0.7.10, spacewalk-client-tools-2.1.16.6-0.7.9, spacewalk-config-2.1.5.4-0.7.15, spacewalk-doc-indexes-2.1.2.3-0.7.26, spacewalk-java-2.1.165.14-0.7.16, spacewalk-reports-2.1.14.8-0.7.10, spacewalk-search-2.1.14.6-0.7.18, spacewalk-setup-2.1.14.9-0.7.6, spacewalk-setup-jabberd-2.1.0.2-0.7.6, spacewalk-utils-2.1.27.12-0.7.25, spacewalk-web-2.1.60.12-0.7.7, spacewalksd-5.0.14.6-0.7.15, struts-1.2.9-162.33.22, supportutils-plugin-susemanager-1.0.3-0.5.5, supportutils-plugin-susemanager-client-1.0.4-0.5.5, suseRegisterInfo-2.1.9-0.7.29, susemanager-2.1.17-0.7.11, susemanager-jsp_en-2.1-0.15.23, susemanager-manuals_en-2.1-0.15.24, susemanager-schema-2.1.50.11-0.7.8, susemanager-sync-data-2.1.5-0.7.6, tanukiwrapper-3.2.3-0.10.12, yum-3.2.29-0.19.30, zypp-plugin-spacewalk-0.9.8-0.15.51