CVE-2021-40323

Advisory

Cobbler 3.3.0 and 3.2.2 include a fix for CVE-2021-40323: Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This release got everything! Security, Features, Bugfixes, ...

We have 422 files changed, 25375 insertions(+), 34826 deletions(-)

Milestone: <https://github.com/cobbler/cobbler/milestone/10>

Diff to last release: <https://github.com/cobbler/cobbler/compare/v3.2.1...v3.3.0>

**Known Issues**:

- `cobbler <item> rename` is not working currently
- `cobbler <item> edit` may have bugs due to the internal refactorings

**Breaking Changes**:

- The webinterface got removed [2434](https://github.com/cobbler/cobbler/pull/2434) [#2434](https://github.com/cobbler/cobbler/issues/2286) [#2700](https://github.com/cobbler/cobbler/pull/2700)
- Please use the CLI in the meantime
- A new webinterface is under development at <https://github.com/cobbler/cobbler-web>
- The core code has priority at any time. There are third party tools available which provide a webinterface and use
Cobbler as a backend. A list of those tools can be found at the bottom of the following page: <https://cobbler.github.io/users.html>
- The Cobbler internal TFTP Demon got removed [2512](https://github.com/cobbler/cobbler/pull/2512)
- `yaboot` support got removed as a bootloader for PowerPC [2723](https://github.com/cobbler/cobbler/pull/2723)

**Announcements**:

- Important Security Bugfixes [2794](https://github.com/cobbler/cobbler/pull/2794) [#2795](https://github.com/cobbler/cobbler/issues/2795)
- Arbitrary Read was possible through `generate_script()`
- Arbitrary Write was possible through `upload_log_data()`
- Log poisoning with Remote-Code-Execution was possible through any XMLRPC method which logs to the logfile.
- There was an internal refactoring from runtime created Python attributes to Python Properties. This allows much
better data validation and thus better error handling but also introduced new bugs.
Related: [2433](https://github.com/cobbler/cobbler/pull/2433) [#2666](https://github.com/cobbler/cobbler/pull/2666) [#2677](https://github.com/cobbler/cobbler/pull/2677) [#2753](https://github.com/cobbler/cobbler/pull/2753) [#2699](https://github.com/cobbler/cobbler/issues/2699) [#2692](https://github.com/cobbler/cobbler/issues/2692) [#2684](https://github.com/cobbler/cobbler/pull/2684) [#2707](https://github.com/cobbler/cobbler/issues/2707) [2727](https://github.com/cobbler/cobbler/pull/2727) [#2726](https://github.com/cobbler/cobbler/pull/2726) [#2685](https://github.com/cobbler/cobbler/pull/2685) [#2675](https://github.com/cobbler/cobbler/issues/2675) [#2678](https://github.com/cobbler/cobbler/issues/2678) [#2682](https://github.com/cobbler/cobbler/pull/2682) [#2674](https://github.com/cobbler/cobbler/issues/2674) [#2676](https://github.com/cobbler/cobbler/pull/2676) [#2681](https://github.com/cobbler/cobbler/issues/2681) [#2683](https://github.com/cobbler/cobbler/pull/2683) [#2696](https://github.com/cobbler/cobbler/pull/2696) [#2702](https://github.com/cobbler/cobbler/pull/2702) [#2732](https://github.com/cobbler/cobbler/issues/2732) [#2733](https://github.com/cobbler/cobbler/pull/2733) [#2722](https://github.com/cobbler/cobbler/issues/2722) [#2680](https://github.com/cobbler/cobbler/issues/2680) [#2711](https://github.com/cobbler/cobbler/pull/2711)
- This is the first release with the new avatar [2604](https://github.com/cobbler/cobbler/issues/2604)

**New**:

- The `migrate-data-v2-to-v3.py` script is now packages and can directly be used [2591](https://github.com/cobbler/cobbler/pull/2591)
- The `mkgrub.sh` script was converted to the command `cobbler mkgrub` [2739](https://github.com/cobbler/cobbler/pull/2739) [#2721](https://github.com/cobbler/cobbler/issues/2721)
- We now have automigrations and validation for the application settings [2747](https://github.com/cobbler/cobbler/pull/2747) [#2719](https://github.com/cobbler/cobbler/issues/2719) [#2772](https://github.com/cobbler/cobbler/pull/2772) [#2769](https://github.com/cobbler/cobbler/pull/2769)
- New distros are now able to be imported:
- Debian 11 [2758](https://github.com/cobbler/cobbler/pull/2758)
- Fedora 34 [2713](https://github.com/cobbler/cobbler/pull/2713)
- `cobbler sync` now supports syncing only specified systems [2601](https://github.com/cobbler/cobbler/pull/2601)
- You can now define your own boot menu structure [2575](https://github.com/cobbler/cobbler/pull/2575)
- Cobbler is able to run on RockyLinux and import it [2627](https://github.com/cobbler/cobbler/pull/2627)
- DHCPv6 is now natively supported [2539](https://github.com/cobbler/cobbler/pull/2539) [#2511](https://github.com/cobbler/cobbler/issues/2511) [#2647](https://github.com/cobbler/cobbler/pull/2647)

**Changes**:

- Internal cache got fully removed with 2684 (related [2661](https://github.com/cobbler/cobbler/pull/2661))
- `cobbler get-loaders` was removed for security reasons [2572](https://github.com/cobbler/cobbler/pull/2572)
- Removed the `simplejson` dependency as it is redundant now [2572](https://github.com/cobbler/cobbler/pull/2602)
- Docs: Multiple enhancements [2599](https://github.com/cobbler/cobbler/pull/2599) [#2788](https://github.com/cobbler/cobbler/pull/2788)
- Logger: Changed to the default Python 3 logger (much more configurable) [2573](https://github.com/cobbler/cobbler/pull/2573)
- Old bootloaders which were not shipped by default got removed [2641](https://github.com/cobbler/cobbler/pull/2641)
- Windows autoinstallation was simplified [2767](https://github.com/cobbler/cobbler/pull/2767)
- We are now using `os.urandom` instead of `/dev/urandom` [2752](https://github.com/cobbler/cobbler/pull/2752)
- We have reduced the usage of the generic `CX` exception [2643](https://github.com/cobbler/cobbler/pull/2643)
- `ipmilanplus` is the default fence agent for power operations [2714](https://github.com/cobbler/cobbler/pull/2714)
- For nested GRUB menus we now show an indicator [2693](https://github.com/cobbler/cobbler/pull/2694) [#2693](https://github.com/cobbler/cobbler/issues/2693)
- Items can now be found even if the item type is not specified [2663](https://github.com/cobbler/cobbler/pull/2663)

**Bugfixes**:

- Be compliant with CORS pre-flight requests [2594](https://github.com/cobbler/cobbler/pull/2594)
- `cobbler reposync`: SSL related problems were fixed [2759](https://github.com/cobbler/cobbler/pull/2759)
- Autoinstall templates directory was wrong per default. [2590](https://github.com/cobbler/cobbler/pull/2590)
- We do not strip the last two characters anymore when rendering via an HTTP(S) Endpoint [2626](https://github.com/cobbler/cobbler/pull/2626)
- `cobbler check` does not complain about the old name of the settingsfile anymore [2630](https://github.com/cobbler/cobbler/pull/2630)
- openSUSE Tumbleweed AutoYAST templating was fixed again [2629](https://github.com/cobbler/cobbler/pull/2629) [#2628](https://github.com/cobbler/cobbler/issues/2628) [#2632](https://github.com/cobbler/cobbler/pull/2632)
- `cobbler hardlink` now works with non default web directories [2774](https://github.com/cobbler/cobbler/pull/2774)
- GRUB got a few Cobbler related fixes [2653](https://github.com/cobbler/cobbler/pull/2653) [#2792](https://github.com/cobbler/cobbler/pull/2792) [#2743](https://github.com/cobbler/cobbler/pull/2743)
- `pxe_just_once` is working as expected now [2783](https://github.com/cobbler/cobbler/issues/2783) [#2784](https://github.com/cobbler/cobbler/pull/2784)
- Anaconda installation process `ONBOOT` is now able to be set with and without qotation marks [2775](https://github.com/cobbler/cobbler/pull/2775)
- The Autoinstall Manager crashes correctly in case of an error [2791](https://github.com/cobbler/cobbler/pull/2791)
- `cobbler distro delete` now doesn't leave repository configs behind [2729](https://github.com/cobbler/cobbler/pull/2729) [#1370](https://github.com/cobbler/cobbler/issues/1370)
- `cobbler sync --dns` is now working as expected again [2710](https://github.com/cobbler/cobbler/issues/2710) [#2712](https://github.com/cobbler/cobbler/pull/2712)

**Other**:

- Internal Refactorings:
- Base class for all manager modules is used now [2610](https://github.com/cobbler/cobbler/pull/2610)
- Cobbler litesync was moved into Cobbler sync [2615](https://github.com/cobbler/cobbler/pull/2615)
- `field_info.py` functionality was removed since it was unused [2662](https://github.com/cobbler/cobbler/pull/2662)
- API is used instead of the collection manager [2652](https://github.com/cobbler/cobbler/pull/2652)
- Settings are now held in the API instead of the collection manager [2664](https://github.com/cobbler/cobbler/pull/2664)
- Directly use the UUID module where available [2650](https://github.com/cobbler/cobbler/pull/2650)
- Don't clone an object during rename [2744](https://github.com/cobbler/cobbler/pull/2744)
- `kopts_overwrite` is more error resistent now [2651](https://github.com/cobbler/cobbler/pull/2651)
- Docs:
- Added missing dependency for building [2571](https://github.com/cobbler/cobbler/pull/2571)
- Fix build errors [2633](https://github.com/cobbler/cobbler/pull/2633)
- Extend `__init__.py` files with content about Python modules [2642](https://github.com/cobbler/cobbler/pull/2642)
- Spelling [2731](https://github.com/cobbler/cobbler/pull/2731)
- Types for many external API methods [2785](https://github.com/cobbler/cobbler/pull/2785)
- Document properties [2773](https://github.com/cobbler/cobbler/pull/2773)
- General cleanup [2771](https://github.com/cobbler/cobbler/pull/2771)
- Tests: Multiple new testcases to improve stability and coverage [2656](https://github.com/cobbler/cobbler/pull/2656) [#2740](https://github.com/cobbler/cobbler/pull/2740) [#2745](https://github.com/cobbler/cobbler/pull/2745) [#1492](https://github.com/cobbler/cobbler/issues/1492) [#2645](https://github.com/cobbler/cobbler/pull/2645) [#2649](https://github.com/cobbler/cobbler/pull/2649)
- GitHub Issue templates were revamped [2578](https://github.com/cobbler/cobbler/pull/2578)
- Packaging: Specfile got a few improvements [2780](https://github.com/cobbler/cobbler/pull/2780)
- CI:
- Obsolete testing container [2730](https://github.com/cobbler/cobbler/pull/2730)
- Also use the openSUSE Build Service for packaging on PRs [2672](https://github.com/cobbler/cobbler/pull/2672)
- Package also for openSUSE [2607](https://github.com/cobbler/cobbler/pull/2607)
- Enhance the Setup scrips [2331](https://github.com/cobbler/cobbler/pull/2631)
- Development: Container now exposes 80 & 443 [2609](https://github.com/cobbler/cobbler/pull/2609)

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40323
• https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a
• https://github.com/cobbler/cobbler/releases/tag/v3.3.0