CVE-2021-44215 & CVE-2021-44216 - Log file permissions

Posted by Nick Anderson
March 3, 2022

The CFEngine engineering team has recently discovered two security issues in the CFEngine Enterprise product, specifically in the hub package:

  • CVE-2021-44215 - PostgreSQL log file world readable.
  • CVE-2021-44216 - Apache and Mission Portal Application log files world readable.

CVE-2021-44215 is a regression affecting currently supported versions 3.18.0 and 3.15.4 as well as some unsupported versions. CVE-2021-44216 affects all supported versions prior to 3.18.1 and 3.15.5 as well as some unsupported versions.

CVE-2021-44215 - PostgreSQL log file world readable

Description

The CFEngine Enterprise Hub package uses PostgreSQL for storing data about the history and current state of reporting agents. The log file /var/log/postgresql.log was found to be world readable.

Detection

Currently supported versions of the CFEngine Enterprise Hub package affected include 3.18.0 and 3.15.4 (3.15.x prior to 3.15.4 are not affected). Some older currently unsupported version of the CFEngine Enterprise Hub package are affected as well.

Use this script to check if you are affected. Note, by default this script checks for both CVE-2021-44215 and CVE-2021-44216. This example checks only for CVE-2021-44215.

[root@hub ~]# curl -sO https://cfengine.com/2022/check-CVE-2021-44215-and-CVE-2021-44216.sh
[root@hub ~]# bash check-CVE-2021-44215-and-CVE-2021-44216.sh --no-check-cve-2021-44216
Running CFEngine Enterprise 3.15.4
Checking for the presence of CVE-2021-44215
WARNING: CVE-2021-44215 found

Impact

An attacker with local access to the CFEngine Enterprise Hub can read database logs which may contain sensitive data depending on the configuration.

Mitigation

To mitigate the issue, upgrade to the newest supported releases of CFEngine Enterprise (3.18.1, 3.15.5) or use this policy to manage the permissions actively until an upgrade can be completed.

Please contact support if you need assistance.

This issue has been registered as CVE-2021-44215 in the official public CVE registry

CVE-2021-44216 - Apache and Mission Portal Application log files world readable

Description

The CFEngine Enterprise Hub package uses Apache to serve the Mission Portal web application. Logs from both Apache and Mission Portal were found to be world readable.

Detection

Currently supported versions of the CFEngine Enterprise Hub package affected include 3.18.0, 3.15.4, 3.15.3, 3.15.2, 3.15.1 and 3.15.0 (versions prior to 3.18.1 and 3.15.5). Older, currently unsupported version of the CFEngine Enterprise Hub package are affected as well.

Use this script to check if you are affected. Note, by default this script checks for both CVE-2021-44215 and CVE-2021-44216. This example checks only for CVE-2021-44216.

[root@hub ~]# curl -sO https://cfengine.com/2022/check-CVE-2021-44215-and-CVE-2021-44216.sh
[root@hub ~]# bash check-CVE-2021-44215-and-CVE-2021-44216.sh --no-check-cve-2021-44215
Running CFEngine Enterprise 3.15.4
Checking for the presence of CVE-2021-44216
WARNING: CVE-2021-44216 found /var/cfengine/httpd/logs/application/log-2022-01-26.log affected
WARNING: CVE-2021-44216 found /var/cfengine/httpd/logs/error_log affected
WARNING: CVE-2021-44216 found /var/cfengine/httpd/logs/access_log affected
WARNING: CVE-2021-44216 found /var/cfengine/httpd/logs/ssl_request_log affected

Impact

An attacker with local access to the CFEngine Enterprise Hub can read web-server and web application log files which may contain sensitive data depending on the configuration.

Mitigation

To mitigate the issue, upgrade to the newest supported releases of CFEngine Enterprise (3.18.1, 3.15.5) or use this policy to manage the permissions actively until an upgrade can be completed.

This issue has been registered as CVE-2021-44216 in the official public CVE registry.

Please contact support if you need assistance.