Bugzilla – Bug 927828
VUL-1: CVE-2015-1867: pacemaker: acl read-only access allow role assignment
Last modified: 2017-08-08 22:41:13 UTC
Via oss-sec / RH: Franck Grosjean of Red Hat reports: Description of problem: acl definitions are not enforced and could be bypassed by a user without write access to the cib Version-Release number of selected component (if applicable): RedHat Enterprise Linux 6.6 pcs --version = 0.9.123 pacemakerd --version = Pacemaker 1.1.11 How reproducible: a user with a read-only role can assign any other existing roles to himself and then gain any kind of access from any role (rw access to the cib if this kind of role exist). Steps to Reproduce: 1. create a role read-only pcs acl role create read-only description="Read only access" read xpath /cib 2. create a role admin pcs acl role create admin description="Admin access" write xpath /cib 3. create an account (local + pcs) 4. open a session with this roaccount account 5. add admin role to your account pcs acl role assign admin to rocluster 6. check new acl pushed as a read-only user pcs acl User: rocluster Roles: read-only admin Role: read-only Description: Read only access Permission: read xpath /cib (read-only-read) Role: admin Description: Admin access Permission: write xpath /cib (admin-write) 7. add/delete/modify anything Actual results: obtain rw access to the cib Expected results: must not be possible with read-only access to the cib to assign a role Introduced in: https://github.com/ClusterLabs/pacemaker/commit/f242c1ef Fixed in: https://github.com/ClusterLabs/pacemaker/commit/84ac07c Checked the code: For SLE this makes SLE 11 not affected, SLE 12 affected openSUSE 13.2 affected. References: https://bugzilla.redhat.com/show_bug.cgi?id=1211370 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1867 http://seclists.org/oss-sec/2015/q2/126 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1867.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1867 https://github.com/ClusterLabs/pacemaker/commit/f242c1ef https://github.com/ClusterLabs/pacemaker/commit/84ac07c
This is an autogenerated message for OBS integration: This bug (927828) was mentioned in https://build.opensuse.org/request/show/298166 Factory / pacemaker
(In reply to Yan Gao from comment #2) > How about opensuse13.2? Should I probably request a submission from > network:ha-clustering:Factory/pacemaker to some repository? Depends on how much network:ha-clustering:Factory/pacemaker has moved on since, and if it is compatible with itself and depending packages. To only apply the patch to fix the single issue: osc mbranch, apply single patch, changelog, then osc mr. Otherwise submit to openSUSE:Maintenance from devel project.
bugbot adjusting priority
So far we don't have a plan for a collective maintenance update for SLE12 HAE. Submitted for SLE12SP1.
fixed in current SLES, openSUSE and Factory.