Detections
Analytics
RHEL 7 : Satellite 6.3 (RHSA-2018:0336)
high Nessus Plugin ID 107053
Language:
Synopsis
The remote Red Hat host is missing one or more security updates.Description
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:0336 advisory.Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool.
This update provides Satellite 6.3 packages for Red Hat Enterprise Linux 7 Satellite server. For the full list of new features provided by Satellite 6.3, see the Release Notes linked to in the references section.
See the Satellite 6 Installation Guide for detailed instructions on how to install a new Satellite 6.3 environment, or the Satellite 6 Upgrading and Updating guide for detailed instructions on how to upgrade from prior versions of Satellite 6.
All users who require Satellite version 6.3 are advised to install these new packages.
Security Fix(es):
* V8: integer overflow leading to buffer overflow in Zone::New (CVE-2016-1669)
* rubygem-will_paginate: XSS vulnerabilities (CVE-2013-6459)
* foreman: models with a 'belongs_to' association to an Organization do not verify association belongs to that Organization (CVE-2014-8183)
* foreman: inspect in a provisioning template exposes sensitive controller information (CVE-2016-3693)
* pulp: Unsafe use of bash $RANDOM for NSS DB password and seed (CVE-2016-3704)
* foreman: privilege escalation through Organization and Locations API (CVE-2016-4451)
* foreman: inside discovery-debug, the root password is displayed in plaintext (CVE-2016-4996)
* foreman: Persistent XSS in Foreman remote execution plugin (CVE-2016-6319)
* foreman: Stored XSS via organization/location with HTML in name (CVE-2016-8639)
* katello-debug: Possible symlink attacks due to use of predictable file names (CVE-2016-9595)
* rubygem-hammer_cli: no verification of API server's SSL certificate (CVE-2017-2667)
* foreman: Image password leak (CVE-2017-2672)
* pulp: Leakage of CA key in pulp-qpid-ssl-cfg (CVE-2016-3696)
* foreman: Information disclosure in provisioning template previews (CVE-2016-4995)
* foreman-debug: missing obfuscation of sensitive information (CVE-2016-9593)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Randy Barlow (RedHat) for reporting CVE-2016-3704 and Sander Bos for reporting CVE-2016-3696. The CVE-2014-8183 issue was discovered by Eric Helms (Red Hat); the CVE-2016-3693 and CVE-2016-4995 issues were discovered by Dominic Cleal (Red Hat); the CVE-2016-4451 and CVE-2016-6319 issues were discovered by Marek Huln (Red Hat); the CVE-2016-4996 issue was discovered by Thom Carlin (Red Hat); the CVE-2016-8639 issue was discovered by Sanket Jagtap (Red Hat); the CVE-2016-9595 issue was discovered by Evgeni Golov (Red Hat); the CVE-2017-2667 issue was discovered by Tomas Strachota (Red Hat);
and the CVE-2016-9593 issue was discovered by Pavel Moravec (Red Hat).
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
http://www.nessus.org/u?809d0a34
http://www.nessus.org/u?eab6a4df
https://access.redhat.com/errata/RHSA-2018:0336
https://access.redhat.com/security/updates/classification/#important
https://bugzilla.redhat.com/show_bug.cgi?id=1019214
https://bugzilla.redhat.com/show_bug.cgi?id=1046642
https://bugzilla.redhat.com/show_bug.cgi?id=1132402
https://bugzilla.redhat.com/show_bug.cgi?id=1133515
https://bugzilla.redhat.com/show_bug.cgi?id=1140671
https://bugzilla.redhat.com/show_bug.cgi?id=1144042
https://bugzilla.redhat.com/show_bug.cgi?id=1145653
https://bugzilla.redhat.com/show_bug.cgi?id=1154382
https://bugzilla.redhat.com/show_bug.cgi?id=1177766
https://bugzilla.redhat.com/show_bug.cgi?id=1187338
https://bugzilla.redhat.com/show_bug.cgi?id=1190002
https://bugzilla.redhat.com/show_bug.cgi?id=1199204
https://bugzilla.redhat.com/show_bug.cgi?id=1210878
https://bugzilla.redhat.com/show_bug.cgi?id=1215825
https://bugzilla.redhat.com/show_bug.cgi?id=1217523
https://bugzilla.redhat.com/show_bug.cgi?id=1245642
https://bugzilla.redhat.com/show_bug.cgi?id=1255484
https://bugzilla.redhat.com/show_bug.cgi?id=1306723
https://bugzilla.redhat.com/show_bug.cgi?id=1309569
https://bugzilla.redhat.com/show_bug.cgi?id=1309944
https://bugzilla.redhat.com/show_bug.cgi?id=1313634
https://bugzilla.redhat.com/show_bug.cgi?id=1317614
https://bugzilla.redhat.com/show_bug.cgi?id=1318534
https://bugzilla.redhat.com/show_bug.cgi?id=1330264
https://bugzilla.redhat.com/show_bug.cgi?id=1335449
https://bugzilla.redhat.com/show_bug.cgi?id=1336924
https://bugzilla.redhat.com/show_bug.cgi?id=1339715
https://bugzilla.redhat.com/show_bug.cgi?id=1339889
https://bugzilla.redhat.com/show_bug.cgi?id=1376191
https://bugzilla.redhat.com/show_bug.cgi?id=1382356
https://bugzilla.redhat.com/show_bug.cgi?id=1382735
https://bugzilla.redhat.com/show_bug.cgi?id=1384146
https://bugzilla.redhat.com/show_bug.cgi?id=1384548
https://bugzilla.redhat.com/show_bug.cgi?id=1386266
https://bugzilla.redhat.com/show_bug.cgi?id=1386278
https://bugzilla.redhat.com/show_bug.cgi?id=1390545
https://bugzilla.redhat.com/show_bug.cgi?id=1391831
https://bugzilla.redhat.com/show_bug.cgi?id=1393291
https://bugzilla.redhat.com/show_bug.cgi?id=1393409
https://bugzilla.redhat.com/show_bug.cgi?id=1394056
https://bugzilla.redhat.com/show_bug.cgi?id=1435972
https://bugzilla.redhat.com/show_bug.cgi?id=1436262
https://bugzilla.redhat.com/show_bug.cgi?id=1438376
https://bugzilla.redhat.com/show_bug.cgi?id=1439537
https://bugzilla.redhat.com/show_bug.cgi?id=1439850
https://bugzilla.redhat.com/show_bug.cgi?id=1445807
https://bugzilla.redhat.com/show_bug.cgi?id=1446707
https://bugzilla.redhat.com/show_bug.cgi?id=1446719
https://bugzilla.redhat.com/show_bug.cgi?id=1452124
https://bugzilla.redhat.com/show_bug.cgi?id=1455057
https://bugzilla.redhat.com/show_bug.cgi?id=1455455
https://bugzilla.redhat.com/show_bug.cgi?id=1458817
https://bugzilla.redhat.com/show_bug.cgi?id=1464224
https://bugzilla.redhat.com/show_bug.cgi?id=1468248
https://bugzilla.redhat.com/show_bug.cgi?id=1480346
https://bugzilla.redhat.com/show_bug.cgi?id=1480348
https://bugzilla.redhat.com/show_bug.cgi?id=1480886
https://bugzilla.redhat.com/show_bug.cgi?id=1493001
https://bugzilla.redhat.com/show_bug.cgi?id=1493494
https://bugzilla.redhat.com/show_bug.cgi?id=1517827
https://bugzilla.redhat.com/show_bug.cgi?id=1529099
https://bugzilla.redhat.com/show_bug.cgi?id=1257588
https://bugzilla.redhat.com/show_bug.cgi?id=1260697
https://bugzilla.redhat.com/show_bug.cgi?id=1263748
https://bugzilla.redhat.com/show_bug.cgi?id=1264043
https://bugzilla.redhat.com/show_bug.cgi?id=1264732
https://bugzilla.redhat.com/show_bug.cgi?id=1265125
https://bugzilla.redhat.com/show_bug.cgi?id=1270771
https://bugzilla.redhat.com/show_bug.cgi?id=1274159
https://bugzilla.redhat.com/show_bug.cgi?id=1278642
https://bugzilla.redhat.com/show_bug.cgi?id=1278644
https://bugzilla.redhat.com/show_bug.cgi?id=1284686
https://bugzilla.redhat.com/show_bug.cgi?id=1291935
https://bugzilla.redhat.com/show_bug.cgi?id=1292510
https://bugzilla.redhat.com/show_bug.cgi?id=1293538
https://bugzilla.redhat.com/show_bug.cgi?id=1303103
https://bugzilla.redhat.com/show_bug.cgi?id=1304608
https://bugzilla.redhat.com/show_bug.cgi?id=1305059
https://bugzilla.redhat.com/show_bug.cgi?id=1323436
https://bugzilla.redhat.com/show_bug.cgi?id=1324508
https://bugzilla.redhat.com/show_bug.cgi?id=1327030
https://bugzilla.redhat.com/show_bug.cgi?id=1327471
https://bugzilla.redhat.com/show_bug.cgi?id=1328238
https://bugzilla.redhat.com/show_bug.cgi?id=1328930
https://bugzilla.redhat.com/show_bug.cgi?id=1340559
https://bugzilla.redhat.com/show_bug.cgi?id=1342623
https://bugzilla.redhat.com/show_bug.cgi?id=1344049
https://bugzilla.redhat.com/show_bug.cgi?id=1348939
https://bugzilla.redhat.com/show_bug.cgi?id=1349136
https://bugzilla.redhat.com/show_bug.cgi?id=1361473
https://bugzilla.redhat.com/show_bug.cgi?id=1365815
https://bugzilla.redhat.com/show_bug.cgi?id=1366029
https://bugzilla.redhat.com/show_bug.cgi?id=1370168
https://bugzilla.redhat.com/show_bug.cgi?id=1376134
https://bugzilla.redhat.com/show_bug.cgi?id=1402922
https://bugzilla.redhat.com/show_bug.cgi?id=1406384
https://bugzilla.redhat.com/show_bug.cgi?id=1406729
https://bugzilla.redhat.com/show_bug.cgi?id=1410872
https://bugzilla.redhat.com/show_bug.cgi?id=1412186
https://bugzilla.redhat.com/show_bug.cgi?id=1413851
https://bugzilla.redhat.com/show_bug.cgi?id=1416119
https://bugzilla.redhat.com/show_bug.cgi?id=1417073
https://bugzilla.redhat.com/show_bug.cgi?id=1420711
https://bugzilla.redhat.com/show_bug.cgi?id=1422458
https://bugzilla.redhat.com/show_bug.cgi?id=1425121
https://bugzilla.redhat.com/show_bug.cgi?id=1425523
https://bugzilla.redhat.com/show_bug.cgi?id=1426404
https://bugzilla.redhat.com/show_bug.cgi?id=1426411
https://bugzilla.redhat.com/show_bug.cgi?id=1426448
https://bugzilla.redhat.com/show_bug.cgi?id=1428761
Plugin Details
Severity: High
ID: 107053
File Name: redhat-RHSA-2018-0336.nasl
Version: 3.9
Type: local
Agent: unix
Family: Red Hat Local Security Checks
Published: 2/28/2018
Updated: 6/3/2024
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 9.3
Temporal Score: 7.3
Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2016-1669
CVSS v3
Risk Factor: High
Base Score: 8.8
Temporal Score: 7.9
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
CVSS Score Source: CVE-2017-2672
Vulnerability Information
CPE: p-cpe:/a:redhat:enterprise_linux:foreman-rackspace, p-cpe:/a:redhat:enterprise_linux:pulp-server, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_docker, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_templates, p-cpe:/a:redhat:enterprise_linux:redhat-access-insights-puppet, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman-tasks, p-cpe:/a:redhat:enterprise_linux:katello-installer-base, p-cpe:/a:redhat:enterprise_linux:pulp, p-cpe:/a:redhat:enterprise_linux:pulp-rpm-plugins, p-cpe:/a:redhat:enterprise_linux:pulp-ostree-plugins, p-cpe:/a:redhat:enterprise_linux:pulp-docker, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_remote_execution, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_discovery, p-cpe:/a:redhat:enterprise_linux:python-pulp-puppet-common, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_virt_who_configure, p-cpe:/a:redhat:enterprise_linux:python-zope-interface, p-cpe:/a:redhat:enterprise_linux:katello-selinux, p-cpe:/a:redhat:enterprise_linux:pulp-nodes-child, p-cpe:/a:redhat:enterprise_linux:rubygem-kafo_wizards, p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_dynflow, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-katello_ostree, p-cpe:/a:redhat:enterprise_linux:foreman-libvirt, p-cpe:/a:redhat:enterprise_linux:python-pulp-oid_validation, p-cpe:/a:redhat:enterprise_linux:rubygem-foreman_scap_client, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_remote_execution_core, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-katello, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman-tasks-core, p-cpe:/a:redhat:enterprise_linux:hiera, p-cpe:/a:redhat:enterprise_linux:satellite-capsule, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-bastion, p-cpe:/a:redhat:enterprise_linux:foreman-installer-katello, p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_discovery_image, p-cpe:/a:redhat:enterprise_linux:python-pulp-streamer, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_bootdisk, p-cpe:/a:redhat:enterprise_linux:foreman-postgresql, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_theme_satellite, p-cpe:/a:redhat:enterprise_linux:satellite-debug-tools, p-cpe:/a:redhat:enterprise_linux:python-pulp-client-lib, p-cpe:/a:redhat:enterprise_linux:foreman-cli, p-cpe:/a:redhat:enterprise_linux:pulp-admin-client, p-cpe:/a:redhat:enterprise_linux:foreman-proxy-content, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman-redhat_access, p-cpe:/a:redhat:enterprise_linux:foreman-installer, p-cpe:/a:redhat:enterprise_linux:pulp-puppet-tools, p-cpe:/a:redhat:enterprise_linux:python-pulp-rpm-common, p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_openscap, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_bootdisk, cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:python-pulp-ostree-common, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ovirt_provision_plugin, p-cpe:/a:redhat:enterprise_linux:candlepin, p-cpe:/a:redhat:enterprise_linux:rubygem-kafo, p-cpe:/a:redhat:enterprise_linux:satellite-cli, p-cpe:/a:redhat:enterprise_linux:foreman-vmware, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_tasks, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_hooks, p-cpe:/a:redhat:enterprise_linux:foreman-gce, p-cpe:/a:redhat:enterprise_linux:foreman-selinux, p-cpe:/a:redhat:enterprise_linux:pulp-rpm, p-cpe:/a:redhat:enterprise_linux:puppet-foreman_scap_client, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_openscap, p-cpe:/a:redhat:enterprise_linux:pulp-docker-plugins, p-cpe:/a:redhat:enterprise_linux:foreman, p-cpe:/a:redhat:enterprise_linux:katello-common, p-cpe:/a:redhat:enterprise_linux:pulp-nodes-parent, p-cpe:/a:redhat:enterprise_linux:pulp-nodes-common, p-cpe:/a:redhat:enterprise_linux:pulp-katello, p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_remote_execution_ssh, p-cpe:/a:redhat:enterprise_linux:pulp-ostree, p-cpe:/a:redhat:enterprise_linux:foreman-proxy, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_docker, p-cpe:/a:redhat:enterprise_linux:pulp-rpm-admin-extensions, p-cpe:/a:redhat:enterprise_linux:foreman-discovery-image, p-cpe:/a:redhat:enterprise_linux:pulp-docker-admin-extensions, p-cpe:/a:redhat:enterprise_linux:python-pulp-agent-lib, p-cpe:/a:redhat:enterprise_linux:foreman-bootloaders-redhat-tftpboot, p-cpe:/a:redhat:enterprise_linux:rubygem-tilt, p-cpe:/a:redhat:enterprise_linux:python-pulp-repoauth, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_remote_execution, p-cpe:/a:redhat:enterprise_linux:satellite-common, p-cpe:/a:redhat:enterprise_linux:pulp-selinux, p-cpe:/a:redhat:enterprise_linux:satellite, p-cpe:/a:redhat:enterprise_linux:foreman-compute, p-cpe:/a:redhat:enterprise_linux:satellite-installer, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_discovery, p-cpe:/a:redhat:enterprise_linux:python-pulp-bindings, p-cpe:/a:redhat:enterprise_linux:foreman-debug, p-cpe:/a:redhat:enterprise_linux:katello-debug, p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_dhcp_remote_isc, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_csv, p-cpe:/a:redhat:enterprise_linux:kobo, p-cpe:/a:redhat:enterprise_linux:pulp-puppet-admin-extensions, p-cpe:/a:redhat:enterprise_linux:foreman-ec2, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_admin, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_katello, p-cpe:/a:redhat:enterprise_linux:katello-service, p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_discovery, p-cpe:/a:redhat:enterprise_linux:foreman-openstack, p-cpe:/a:redhat:enterprise_linux:foreman-bootloaders-redhat, p-cpe:/a:redhat:enterprise_linux:python-pulp-docker-common, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_openscap, p-cpe:/a:redhat:enterprise_linux:foreman-ovirt, p-cpe:/a:redhat:enterprise_linux:katello-client-bootstrap, p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_pulp, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_virt_who_configure, p-cpe:/a:redhat:enterprise_linux:python-pulp-common, p-cpe:/a:redhat:enterprise_linux:candlepin-selinux, p-cpe:/a:redhat:enterprise_linux:katello, p-cpe:/a:redhat:enterprise_linux:pulp-ostree-admin-extensions, p-cpe:/a:redhat:enterprise_linux:pulp-puppet-plugins, p-cpe:/a:redhat:enterprise_linux:pulp-puppet, p-cpe:/a:redhat:enterprise_linux:katello-certs-tools, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_dynflow_core, p-cpe:/a:redhat:enterprise_linux:rubygem-kafo_parsers
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 2/21/2018
Vulnerability Publication Date: 12/31/2013
Reference Information
CVE: CVE-2013-6459, CVE-2014-8183, CVE-2016-1669, CVE-2016-3693, CVE-2016-3696, CVE-2016-3704, CVE-2016-4451, CVE-2016-4995, CVE-2016-4996, CVE-2016-6319, CVE-2016-7077, CVE-2016-7078, CVE-2016-8613, CVE-2016-8634, CVE-2016-8639, CVE-2016-9593, CVE-2016-9595, CVE-2017-15699, CVE-2017-2295, CVE-2017-2667, CVE-2017-2672, CVE-2018-14623