From c86675b540ca8a30ed68027e5e56c58c754150b9 Mon Sep 17 00:00:00 2001 From: Evgeni Golov Date: Tue, 26 Sep 2023 15:00:24 +0200 Subject: [PATCH] document CVE-2022-3874 and the fix for it --- _includes/manuals/3.8/1.2_release_notes.md | 12 +++++++++++- _includes/manuals/nightly/1.2_release_notes.md | 10 ++++++++++ security.md | 11 +++++++++++ 3 files changed, 32 insertions(+), 1 deletion(-) diff --git a/_includes/manuals/3.8/1.2_release_notes.md b/_includes/manuals/3.8/1.2_release_notes.md index 05da90ffeb..f0f377b340 100644 --- a/_includes/manuals/3.8/1.2_release_notes.md +++ b/_includes/manuals/3.8/1.2_release_notes.md @@ -13,11 +13,21 @@ The parameters still exist and can be specified, but the average user shouldn't ### Upgrade warnings -### Foreman Redis caching DB changed to 4 +#### Foreman Redis caching DB changed to 4 Since Foreman 3.6 Foreman can be easily configured to use Redis for caching (using `--foreman-rails-cache-store type:redis`). Starting Foreman 3.8 this uses DB 4, instead of DB 0, to avoid potential conflicts with other software. +#### `ct_command` and `fcct_command` settings replaced with `(fc)ct_location` and `(fc)ct_arguments` + +To fix [CVE-2022-3874](/security.html#2022-3874) the settings for the CoreOS and Fedora CoreOS +transpiler commands were changed to individual settings for the location of the binary and the +arguments passed to it. +During the upgrade the location of the binaries will be automatically changed to `/usr/bin/ct` +and `/usr/bin/fcct`. Setting the binary location to any other path requires changes to +`settings.yaml`, as different locations are forbidden by default. +The arguments are automatically migrated from the old settings to the new ones. + ### Release Notes ### Release notes for 3.8.0 diff --git a/_includes/manuals/nightly/1.2_release_notes.md b/_includes/manuals/nightly/1.2_release_notes.md index c042901c21..bbe92fcc41 100644 --- a/_includes/manuals/nightly/1.2_release_notes.md +++ b/_includes/manuals/nightly/1.2_release_notes.md @@ -6,6 +6,16 @@ This section will be updated prior to the next release. ### Upgrade warnings +#### `ct_command` and `fcct_command` settings replaced with `(fc)ct_location` and `(fc)ct_arguments` + +To fix [CVE-2022-3874](/security.html#2022-3874) the settings for the CoreOS and Fedora CoreOS +transpiler commands were changed to individual settings for the location of the binary and the +arguments passed to it. +During the upgrade the location of the binaries will be automatically changed to `/usr/bin/ct` +and `/usr/bin/fcct`. Setting the binary location to any other path requires changes to +`settings.yaml`, as different locations are forbidden by default. +The arguments are automatically migrated from the old settings to the new ones. + ### Deprecations ### Release Notes diff --git a/security.md b/security.md index c20ddf1a00..2bdf352866 100644 --- a/security.md +++ b/security.md @@ -15,6 +15,7 @@ The policy of the project is to treat all newly reported issues as private, and All security advisories made for Foreman are listed below with their corresponding [CVE identifier](https://cve.mitre.org/). +* [CVE-2022-3874: OS command injection via ct_command and fcct_command](security.html#2022-3874) * [CVE-2021-3584: Remote code execution through Sendmail configuration](security.html#2021-3584) * [CVE-2021-20256: BMC controller credential leak via API](security.html#2021-20256) * [CVE-2021-20259: Proxmox compute resource password leak](security.html#2021-20259) @@ -87,6 +88,16 @@ All security advisories made for Foreman are listed below with their correspondi ### Disclosure details +#### CVE-2022-3874: OS command injection via ct_command and fcct_command + +`ct_command` and `fcct_command` settings, available via Administer - Settings, both accept arbitrary +strings as the command name and calling CoreOS templates will execute those commands as the user Foreman runs under. +By default, only Foreman super administrator can access settings. + +* Affects Foreman 3.2.0 and higher +* Fix released in Foreman 3.8.0 +* Redmine issue [#36759](https://projects.theforeman.org/issues/36759) + #### CVE-2021-3584: Remote code execution through Sendmail configuration Sendmail location and arguments, available via Administer - Settings, both accept arbitrary strings and pass them into shell.