CVE-2021-40325

Advisory

Cobbler before 3.3.0 allows authorization bypass for modification of settings.
https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This release got everything! Security, Features, Bugfixes, ...

We have 422 files changed, 25375 insertions(+), 34826 deletions(-)

Milestone: <https://github.com/cobbler/cobbler/milestone/10>

Diff to last release: <https://github.com/cobbler/cobbler/compare/v3.2.1...v3.3.0>

**Known Issues**:

- `cobbler <item> rename` is not working currently
- `cobbler <item> edit` may have bugs due to the internal refactorings

**Breaking Changes**:

- The webinterface got removed [2434](https://github.com/cobbler/cobbler/pull/2434) [#2434](https://github.com/cobbler/cobbler/issues/2286) [#2700](https://github.com/cobbler/cobbler/pull/2700)
- Please use the CLI in the meantime
- A new webinterface is under development at <https://github.com/cobbler/cobbler-web>
- The core code has priority at any time. There are third party tools available which provide a webinterface and use
Cobbler as a backend. A list of those tools can be found at the bottom of the following page: <https://cobbler.github.io/users.html>
- The Cobbler internal TFTP Demon got removed [2512](https://github.com/cobbler/cobbler/pull/2512)
- `yaboot` support got removed as a bootloader for PowerPC [2723](https://github.com/cobbler/cobbler/pull/2723)

**Announcements**:

- Important Security Bugfixes [2794](https://github.com/cobbler/cobbler/pull/2794) [#2795](https://github.com/cobbler/cobbler/issues/2795)
- Arbitrary Read was possible through `generate_script()`
- Arbitrary Write was possible through `upload_log_data()`
- Log poisoning with Remote-Code-Execution was possible through any XMLRPC method which logs to the logfile.
- There was an internal refactoring from runtime created Python attributes to Python Properties. This allows much
better data validation and thus better error handling but also introduced new bugs.
Related: [2433](https://github.com/cobbler/cobbler/pull/2433) [#2666](https://github.com/cobbler/cobbler/pull/2666) [#2677](https://github.com/cobbler/cobbler/pull/2677) [#2753](https://github.com/cobbler/cobbler/pull/2753) [#2699](https://github.com/cobbler/cobbler/issues/2699) [#2692](https://github.com/cobbler/cobbler/issues/2692) [#2684](https://github.com/cobbler/cobbler/pull/2684) [#2707](https://github.com/cobbler/cobbler/issues/2707) [2727](https://github.com/cobbler/cobbler/pull/2727) [#2726](https://github.com/cobbler/cobbler/pull/2726) [#2685](https://github.com/cobbler/cobbler/pull/2685) [#2675](https://github.com/cobbler/cobbler/issues/2675) [#2678](https://github.com/cobbler/cobbler/issues/2678) [#2682](https://github.com/cobbler/cobbler/pull/2682) [#2674](https://github.com/cobbler/cobbler/issues/2674) [#2676](https://github.com/cobbler/cobbler/pull/2676) [#2681](https://github.com/cobbler/cobbler/issues/2681) [#2683](https://github.com/cobbler/cobbler/pull/2683) [#2696](https://github.com/cobbler/cobbler/pull/2696) [#2702](https://github.com/cobbler/cobbler/pull/2702) [#2732](https://github.com/cobbler/cobbler/issues/2732) [#2733](https://github.com/cobbler/cobbler/pull/2733) [#2722](https://github.com/cobbler/cobbler/issues/2722) [#2680](https://github.com/cobbler/cobbler/issues/2680) [#2711](https://github.com/cobbler/cobbler/pull/2711)
- This is the first release with the new avatar [2604](https://github.com/cobbler/cobbler/issues/2604)

**New**:

- The `migrate-data-v2-to-v3.py` script is now packages and can directly be used [2591](https://github.com/cobbler/cobbler/pull/2591)
- The `mkgrub.sh` script was converted to the command `cobbler mkgrub` [2739](https://github.com/cobbler/cobbler/pull/2739) [#2721](https://github.com/cobbler/cobbler/issues/2721)
- We now have automigrations and validation for the application settings [2747](https://github.com/cobbler/cobbler/pull/2747) [#2719](https://github.com/cobbler/cobbler/issues/2719) [#2772](https://github.com/cobbler/cobbler/pull/2772) [#2769](https://github.com/cobbler/cobbler/pull/2769)
- New distros are now able to be imported:
- Debian 11 [2758](https://github.com/cobbler/cobbler/pull/2758)
- Fedora 34 [2713](https://github.com/cobbler/cobbler/pull/2713)
- `cobbler sync` now supports syncing only specified systems [2601](https://github.com/cobbler/cobbler/pull/2601)
- You can now define your own boot menu structure [2575](https://github.com/cobbler/cobbler/pull/2575)
- Cobbler is able to run on RockyLinux and import it [2627](https://github.com/cobbler/cobbler/pull/2627)
- DHCPv6 is now natively supported [2539](https://github.com/cobbler/cobbler/pull/2539) [#2511](https://github.com/cobbler/cobbler/issues/2511) [#2647](https://github.com/cobbler/cobbler/pull/2647)

**Changes**:

- Internal cache got fully removed with 2684 (related [2661](https://github.com/cobbler/cobbler/pull/2661))
- `cobbler get-loaders` was removed for security reasons [2572](https://github.com/cobbler/cobbler/pull/2572)
- Removed the `simplejson` dependency as it is redundant now [2572](https://github.com/cobbler/cobbler/pull/2602)
- Docs: Multiple enhancements [2599](https://github.com/cobbler/cobbler/pull/2599) [#2788](https://github.com/cobbler/cobbler/pull/2788)
- Logger: Changed to the default Python 3 logger (much more configurable) [2573](https://github.com/cobbler/cobbler/pull/2573)
- Old bootloaders which were not shipped by default got removed [2641](https://github.com/cobbler/cobbler/pull/2641)
- Windows autoinstallation was simplified [2767](https://github.com/cobbler/cobbler/pull/2767)
- We are now using `os.urandom` instead of `/dev/urandom` [2752](https://github.com/cobbler/cobbler/pull/2752)
- We have reduced the usage of the generic `CX` exception [2643](https://github.com/cobbler/cobbler/pull/2643)
- `ipmilanplus` is the default fence agent for power operations [2714](https://github.com/cobbler/cobbler/pull/2714)
- For nested GRUB menus we now show an indicator [2693](https://github.com/cobbler/cobbler/pull/2694) [#2693](https://github.com/cobbler/cobbler/issues/2693)
- Items can now be found even if the item type is not specified [2663](https://github.com/cobbler/cobbler/pull/2663)

**Bugfixes**:

- Be compliant with CORS pre-flight requests [2594](https://github.com/cobbler/cobbler/pull/2594)
- `cobbler reposync`: SSL related problems were fixed [2759](https://github.com/cobbler/cobbler/pull/2759)
- Autoinstall templates directory was wrong per default. [2590](https://github.com/cobbler/cobbler/pull/2590)
- We do not strip the last two characters anymore when rendering via an HTTP(S) Endpoint [2626](https://github.com/cobbler/cobbler/pull/2626)
- `cobbler check` does not complain about the old name of the settingsfile anymore [2630](https://github.com/cobbler/cobbler/pull/2630)
- openSUSE Tumbleweed AutoYAST templating was fixed again [2629](https://github.com/cobbler/cobbler/pull/2629) [#2628](https://github.com/cobbler/cobbler/issues/2628) [#2632](https://github.com/cobbler/cobbler/pull/2632)
- `cobbler hardlink` now works with non default web directories [2774](https://github.com/cobbler/cobbler/pull/2774)
- GRUB got a few Cobbler related fixes [2653](https://github.com/cobbler/cobbler/pull/2653) [#2792](https://github.com/cobbler/cobbler/pull/2792) [#2743](https://github.com/cobbler/cobbler/pull/2743)
- `pxe_just_once` is working as expected now [2783](https://github.com/cobbler/cobbler/issues/2783) [#2784](https://github.com/cobbler/cobbler/pull/2784)
- Anaconda installation process `ONBOOT` is now able to be set with and without qotation marks [2775](https://github.com/cobbler/cobbler/pull/2775)
- The Autoinstall Manager crashes correctly in case of an error [2791](https://github.com/cobbler/cobbler/pull/2791)
- `cobbler distro delete` now doesn't leave repository configs behind [2729](https://github.com/cobbler/cobbler/pull/2729) [#1370](https://github.com/cobbler/cobbler/issues/1370)
- `cobbler sync --dns` is now working as expected again [2710](https://github.com/cobbler/cobbler/issues/2710) [#2712](https://github.com/cobbler/cobbler/pull/2712)

**Other**:

- Internal Refactorings:
- Base class for all manager modules is used now [2610](https://github.com/cobbler/cobbler/pull/2610)
- Cobbler litesync was moved into Cobbler sync [2615](https://github.com/cobbler/cobbler/pull/2615)
- `field_info.py` functionality was removed since it was unused [2662](https://github.com/cobbler/cobbler/pull/2662)
- API is used instead of the collection manager [2652](https://github.com/cobbler/cobbler/pull/2652)
- Settings are now held in the API instead of the collection manager [2664](https://github.com/cobbler/cobbler/pull/2664)
- Directly use the UUID module where available [2650](https://github.com/cobbler/cobbler/pull/2650)
- Don't clone an object during rename [2744](https://github.com/cobbler/cobbler/pull/2744)
- `kopts_overwrite` is more error resistent now [2651](https://github.com/cobbler/cobbler/pull/2651)
- Docs:
- Added missing dependency for building [2571](https://github.com/cobbler/cobbler/pull/2571)
- Fix build errors [2633](https://github.com/cobbler/cobbler/pull/2633)
- Extend `__init__.py` files with content about Python modules [2642](https://github.com/cobbler/cobbler/pull/2642)
- Spelling [2731](https://github.com/cobbler/cobbler/pull/2731)
- Types for many external API methods [2785](https://github.com/cobbler/cobbler/pull/2785)
- Document properties [2773](https://github.com/cobbler/cobbler/pull/2773)
- General cleanup [2771](https://github.com/cobbler/cobbler/pull/2771)
- Tests: Multiple new testcases to improve stability and coverage [2656](https://github.com/cobbler/cobbler/pull/2656) [#2740](https://github.com/cobbler/cobbler/pull/2740) [#2745](https://github.com/cobbler/cobbler/pull/2745) [#1492](https://github.com/cobbler/cobbler/issues/1492) [#2645](https://github.com/cobbler/cobbler/pull/2645) [#2649](https://github.com/cobbler/cobbler/pull/2649)
- GitHub Issue templates were revamped [2578](https://github.com/cobbler/cobbler/pull/2578)
- Packaging: Specfile got a few improvements [2780](https://github.com/cobbler/cobbler/pull/2780)
- CI:
- Obsolete testing container [2730](https://github.com/cobbler/cobbler/pull/2730)
- Also use the openSUSE Build Service for packaging on PRs [2672](https://github.com/cobbler/cobbler/pull/2672)
- Package also for openSUSE [2607](https://github.com/cobbler/cobbler/pull/2607)
- Enhance the Setup scrips [2331](https://github.com/cobbler/cobbler/pull/2631)
- Development: Container now exposes 80 & 443 [2609](https://github.com/cobbler/cobbler/pull/2609)

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40325
• https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a
• https://github.com/cobbler/cobbler/releases/tag/v3.3.0