Project

Profile

Help

Issue #1833

closed

CVE-2016-3107: Node certificate containing private key stored in world-readable file

Added by rbarlow over 8 years ago. Updated over 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.8.3
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

The Node certificate is installed
world-readable:

$ ls -lah /etc/pki/pulp/nodes/
total 4.0K
drwxr-xr-x. 2 root root 21 Apr 8 16:37 .
drwxr-xr-x. 4 root root 90 Apr 8 16:37 ..
-rw-r--r--. 1 root root 3.2K Apr 8 16:37 node.crt

The fix adjusts the generation script to limit the permissions
to 0640, and to adjust the group ownership to the apache group. It
also uses the -Z flag on the mv command to ensure the correct
SELinux context is used on the installed file.

Credit also goes to Jeremy Cline (Red Hat) for independently
discovering and reporting this issue.

Also available in: Atom PDF