(RHSA-2014:0558) Low: rhevm-reports 3.3.3 security and bug fix update

2014-05-27T04:00:00
ID RHSA-2014:0558
Type redhat
Reporter RedHat
Modified 2018-06-07T09:00:02

Description

The Red Hat Enterprise Virtualization reports package provides a suite of pre-configured reports and dashboards that enable you to monitor the system. The reports module is based on JasperReports and JasperServer, and can also be used to create ad-hoc reports.

It was found that the ovirt-engine-reports setup script logged the reports database password in plain text to a world-readable file. An attacker with a local user account on the Red Hat Enterprise Virtualization Manager server could use this flaw to access, read, and modify the reports database. (CVE-2014-0199)

Note: Applying the update provided by this advisory does not modify any existing log files. It is recommended that you search your existing log files and remove any occurrences of plain text passwords manually.

It was found that the Red Hat Enterprise Virtualization Manager reports datasource configuration file (js-jboss7-ds.xml) was world-readable. An attacker with a local user account on the Red Hat Enterprise Virtualization Manager server could use this flaw to access, read, and modify the reports database. (CVE-2014-0200)

It was found that multiple ovirt-engine-reports configuration files were world-readable. An attacker with a local user account on the Red Hat Enterprise Virtualization Manager server could use this flaw to access a variety of potentially sensitive information. (CVE-2014-0201)

These issues were discovered by Red Hat.

This update also fixes the following bug:

  • Previously, rhevm-reports-setup failed if the default spacing of the pg_hba.conf file was manually modified. Now, the command does not check exact spacing in the file, and setup completes successfully. (BZ#1085374)

All rhevm-reports users are advised to upgrade to this updated package, which corrects these issues.