Low: keycloak-httpd-client-install

Issue Overview:

It was discovered that keycloak-httpd-client-install uses a predictable log file name in /tmp. A local attacker could create a symbolic link to a sensitive location, possibly causing data corruption or denial of service.(CVE-2017-15111)

In keycloak-http-client-install prior to version 0.8, the admin password could be provided through a command-line argument. This might result in the password being leaked through shell history, or becoming visible to a local attacker at the time the program is running.(CVE-2017-15112)

Affected Packages:

keycloak-httpd-client-install

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update keycloak-httpd-client-install to update your system.

New Packages:

noarch:  
    keycloak-httpd-client-install-0.8-1.amzn2.noarch  
    python2-keycloak-httpd-client-install-0.8-1.amzn2.noarch  
  
src:  
    keycloak-httpd-client-install-0.8-1.amzn2.src  

Additional References

Red Hat: CVE-2017-15111, CVE-2017-15112

Mitre: CVE-2017-15111, CVE-2017-15112