RedHatRHSA-2012:1543(RHSA-2012:1543) Important: CloudForms System Engine 1.1 update
5.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
62.3%
Red Hat CloudForms is an on-premise hybrid cloud
Infrastructure-as-a-Service (IaaS) product that lets you create and manage
private and public clouds.
This update fixes bugs in and adds enhancements to the System Engine
packages, and upgrades the system to CloudForms 1.1.
This update also fixes the following security issues:
It was discovered that Katello did not properly check user permissions when
handling certain requests. An authenticated remote attacker could use this
flaw to download consumer certificates or change settings of other users’
systems if they knew the target system’s UUID. (CVE-2012-5603)
It was discovered that Pulp logged administrative passwords to a world
readable log file. A local attacker could use this flaw to control systems
deployed and managed by CloudForms. (CVE-2012-3538)
It was discovered that the Pulp configuration file pulp.conf was installed
as world readable. A local attacker could use this flaw to view the
administrative password, allowing them to control systems deployed and
managed by CloudForms. (CVE-2012-4574)
It was discovered that grinder used insecure permissions for its cache
directory. A local attacker could use this flaw to access or modify files
in the cache. (CVE-2012-5605)
The CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat;
CVE-2012-3538 was discovered by James Laska of Red Hat; CVE-2012-4574 was
discovered by Kurt Seifried of Red Hat; and CVE-2012-5605 was discovered by
James Labocki of Red Hat.
After upgrading to these new packages, follow the instructions in the “4.1.
Upgrading CloudForms System Engine” section of the CloudForms 1.1
Installation Guide:
https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Installation_Guide/index.html
To view the full list of changes in this update, view the CloudForms
Technical Notes:
https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Technical_Notes/index.html
Users are advised to upgrade to these updated CloudForms System Engine
packages, which resolve these issues and add these enhancements.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| RedHat | 5 | noarch | katello-agent | < 1.1.2-1.el5 | katello-agent-1.1.2-1.el5.noarch.rpm |
| RedHat | 5 | noarch | python-gofer | < 0.66.1-2.el5 | python-gofer-0.66.1-2.el5.noarch.rpm |
| RedHat | 5 | noarch | gofer-watchdog | < 0.66.1-2.el5 | gofer-watchdog-0.66.1-2.el5.noarch.rpm |
| RedHat | 5 | src | katello-agent | < 1.1.2-1.el5 | katello-agent-1.1.2-1.el5.src.rpm |
| RedHat | 5 | noarch | gofer-package | < 0.66.1-2.el5 | gofer-package-0.66.1-2.el5.noarch.rpm |
| RedHat | 5 | src | gofer | < 0.66.1-2.el5 | gofer-0.66.1-2.el5.src.rpm |
| RedHat | 5 | noarch | gofer | < 0.66.1-2.el5 | gofer-0.66.1-2.el5.noarch.rpm |
Related
5.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
62.3%