diff --git a/CVE-2020-35497.patch b/CVE-2020-35497.patch new file mode 100644 index 0000000000000000000000000000000000000000..91e32f1824b82644bf4edeebe47dc148fb9082b6 --- /dev/null +++ b/CVE-2020-35497.patch @@ -0,0 +1,98 @@ +From d663972f8a144b283591e46693f0aa27a9f2e859 Mon Sep 17 00:00:00 2001 +From: Eli Mesika +Date: Wed, 23 Dec 2020 13:15:39 +0200 +Subject: [PATCH] core: prevent non-admin users see other users data + +This patch fixes a security hole that enables regular users to access +other user data including administrators. +The problem was in the DAO that accesses the users data according to the +user permission, the wrong logic was to get all the user data if any +permission is found for the given user. + +This patch modifies the relevant queries in the BLL level to return only +the information that the user allowed to see + +CVE-2020-35497 + +Change-Id: I5130799027ab79f03b4e25c5f2f2ca4150887719 +Bug-Id: https://bugzilla.redhat.com/show_bug.cgi?id=1899938 +Signed-off-by: Eli Mesika +(cherry picked from commit 40160e6f678d632937a22a8e23370086024f9994) +--- + .../engine/core/bll/aaa/GetAllDbUsersQuery.java | 17 +++++++++++++++-- + .../core/bll/aaa/GetDbUserByUserIdQuery.java | 14 +++++++++++++- + 2 files changed, 28 insertions(+), 3 deletions(-) + +diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java +index e799dbd8f76..4d964b110a9 100644 +--- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java ++++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetAllDbUsersQuery.java +@@ -1,12 +1,17 @@ + package org.ovirt.engine.core.bll.aaa; + +-import javax.inject.Inject; ++import java.util.ArrayList; ++ ++import javax.inject.Inject; + + import org.ovirt.engine.core.bll.QueriesCommandBase; + import org.ovirt.engine.core.bll.context.EngineContext; ++import org.ovirt.engine.core.common.businessentities.aaa.DbUser; + import org.ovirt.engine.core.common.queries.QueryParametersBase; + import org.ovirt.engine.core.dao.DbUserDao; + ++ ++ + public class GetAllDbUsersQuery

+ extends QueriesCommandBase

{ + @Inject +@@ -18,6 +23,14 @@ public class GetAllDbUsersQuery

+ + @Override + protected void executeQueryCommand() { +- getQueryReturnValue().setReturnValue(dbUserDao.getAll(getUserID(), getParameters().isFiltered())); ++ DbUser currentUser = getUser(); ++ // A non-admin trying to get other user data will get its own data ++ if (!currentUser.isAdmin()) { ++ ArrayList users = new ArrayList<>(); ++ users.add(currentUser); ++ getQueryReturnValue().setReturnValue(users); ++ } else { ++ getQueryReturnValue().setReturnValue(dbUserDao.getAll(getUserID(), getParameters().isFiltered())); ++ } + } + } +diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java +index 52f88740da6..df491489a80 100644 +--- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java ++++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java +@@ -4,6 +4,7 @@ import javax.inject.Inject; + + import org.ovirt.engine.core.bll.QueriesCommandBase; + import org.ovirt.engine.core.bll.context.EngineContext; ++import org.ovirt.engine.core.common.businessentities.aaa.DbUser; + import org.ovirt.engine.core.common.queries.IdQueryParameters; + import org.ovirt.engine.core.dao.DbUserDao; + +@@ -19,6 +20,17 @@ public class GetDbUserByUserIdQuery

+ + @Override + protected void executeQueryCommand() { +- getQueryReturnValue().setReturnValue(dbUserDao.get(getParameters().getId(), getParameters().isFiltered())); ++ DbUser currentUser = getUser(); ++ if (!currentUser.isAdmin()) { ++ // unauthorized access ++ if (!currentUser.getId().equals(getParameters().getId())) { ++ getQueryReturnValue().setReturnValue(null); ++ } else { ++ // A non-admin user can get only its own data ++ getQueryReturnValue().setReturnValue(dbUserDao.get(currentUser.getId(), false)); ++ } ++ } else { ++ getQueryReturnValue().setReturnValue(dbUserDao.get(getParameters().getId(), getParameters().isFiltered())); ++ } + } + } +-- +2.27.0 + diff --git a/ovirt-engine.spec b/ovirt-engine.spec index 6397b93a0715819cfcfacc400a0de37a506d8920..a06d73356e32c6b11171f381aa77e8c94214caca 100644 --- a/ovirt-engine.spec +++ b/ovirt-engine.spec @@ -176,7 +176,7 @@ getent passwd %1 >/dev/null || useradd -r -u %2 -g %3 -c %5 -s /sbin/nologin -d Name: ovirt-engine Version: 4.4.4.1 -Release: 10 +Release: 11 Summary: Management server for Open Virtualization Group: %{ovirt_product_group} License: Apache 2.0 @@ -202,6 +202,7 @@ Patch9: 0009-fix-engine-setup-problem.patch Patch10: 0010-fix-host-installation-failure.patch Patch11: 0011-get-vdsm-id-from-dmidecode-system-uuid-on-aarch64.patch Patch12: CVE-2024-0822.patch +Patch13: CVE-2020-35497.patch BuildArch: noarch BuildRequires: assertj-core >= 2.2.0 @@ -655,6 +656,7 @@ Setup imageio service. %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 sed -i '87s/@Test/\/\/@Test/g' backend/manager/modules/vdsbroker/src/test/java/org/ovirt/engine/core/vdsbroker/builder/vminfo/LibvirtVmXmlBuilderTest.java sed -i '88s/@MockedConfig/\/\/@MockedConfig/g' backend/manager/modules/vdsbroker/src/test/java/org/ovirt/engine/core/vdsbroker/builder/vminfo/LibvirtVmXmlBuilderTest.java sed -i '121s/@Test/\/\/@Test/g' backend/manager/modules/bll/src/test/java/org/ovirt/engine/core/bll/AddClusterCommandTest.java @@ -1303,6 +1305,9 @@ fi %{engine_data}/setup/bin/ovirt-engine-health %changelog +* Fri Jun 07 2024 wangziliang - 4.4.4.1-11 +- Fix CVE-2020-35497 + * Tue Mar 05 2024 yanjianqing - 4.4.4.1-10 - Fix CVE-2024-0822