Re: CVE request - Evergreen

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/

We have these initial questions, in part to determine whether there should
be a total of two CVE IDs or three CVE IDs.

http://openwall.com/lists/oss-security/2015/03/03/11 says:

> Both bugs had permitted remote unauthenticated access of confidential
> application configuration settings.

but https://bugs.launchpad.net/evergreen/+bug/1206589 says:

> Any user who can authenticate to Evergreen and make the proper
> open-ils.pcrud calls can view the history of any setting ... once
> anonymous pcrud goes in, no login would be required either.

Was there a released version of Evergreen in which an unauthenticated
attacker could view a setting's history by exploiting this bug?

https://bugs.launchpad.net/evergreen/+bug/1206589 also says:

> An immediate fix for this would be to add a permission, just about any
> permission that a patron would not have ... The
> collab/dyrcona/lp1206589-quick-fix branch in the security repo adds a
> retrieve permission of STAFF_LOGIN ... That leaves us pretty much
> where the initial bug reports assumes we were with settings exposed
> only to unauthorized staff ... Since I have suggested removing the
> open-ils.pcrud controller, leaving cstore as the only mode of access
> to these settings, new API calls would need to be added to search and
> retrieve the settings history.

and
http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=ac588e879cf73ff1b65617e0bd273361d3529063
says:

> Temporary Fix for Org. Unit Settings History Bug
     
>  1. It adds a retrieve permission of STAFF_LOGIN.  This at least
> requires someone with staff permission to be able to view settings
> history.

Does this mean that:

 - in version 2.7.3, there is a major vulnerability in which a
   setting's history can be viewed by any authenticated user,
   including users with the "patron" role

 - in version 2.7.4, there is a minor vulnerability in which a
   setting's history can be viewed by all persons with the staff role,
   which would include unauthorized staff in many realistic
   deployments. This might be fixed in a future release by forcing all
   access to use cstore, or by some other undetermined change.

?

> https://bugs.launchpad.net/evergreen/+bug/1424755

This seems to be a much simpler case that was completely fixed by
http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=3a0f1cc7b2efa517ee4cd4c6a682237554fed307
and had allowed unauthenticated access. It will have only one CVE ID.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU9lpzAAoJEKllVAevmvmsbdQH/22bw/68/mpyxJ6cOvlw7e1M
QSfNIO+feS9aS9c7k7y2g6yV0KEC7b261gSLQlJFpPVYq7sBh/Y9jLcQhINOWb1j
8m5DP8lqHF4iiCXxxxwJsG5MM2AxvKnk0KXcfGu8qnd6OOmuO4xC+hM5P3XdpRFQ
RJeQU8lSDYHD3yb9D+lfvybr/2ceUVAVTuJCeCLDBj0yr7Gvn3+R0as/mqTt6jyU
EQqciiLFntiucwSOAFQDD0rA0/9JP+ORDC47BcIyDgi0Xca/T+36NbeIsskMXEjO
liBCap+fLIuFWQ0dx5zS+9YQjYwaWyTeaXOFTfjhPUVkgao2CF5aoRSL0qL1zIg=
=3sHe
-----END PGP SIGNATURE-----