RHEL 8 : idm:DL1 and idm:client (RHSA-2020:4670)

medium Nessus Plugin ID 142435

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4670 advisory.

Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments.

The following packages have been upgraded to a later upstream version: ipa (4.8.7), softhsm (2.6.0), opendnssec (2.1.6). (BZ#1759888, BZ#1818765, BZ#1818877)

Security Fix(es):

* js-jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)

* bootstrap: XSS in the data-target attribute (CVE-2016-10735)

* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)

* bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)

* bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676)

* bootstrap: XSS in the affix configuration target property (CVE-2018-20677)

* bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)

* js-jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)

* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)

* ipa: No password length restriction leads to denial of service (CVE-2020-1722)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?b7e37d18

http://www.nessus.org/u?e17bb368

https://access.redhat.com/security/updates/classification/#moderate

https://access.redhat.com/errata/RHSA-2020:4670

https://bugzilla.redhat.com/show_bug.cgi?id=1399546

https://bugzilla.redhat.com/show_bug.cgi?id=1430365

https://bugzilla.redhat.com/show_bug.cgi?id=1488732

https://bugzilla.redhat.com/show_bug.cgi?id=1585020

https://bugzilla.redhat.com/show_bug.cgi?id=1601614

https://bugzilla.redhat.com/show_bug.cgi?id=1601617

https://bugzilla.redhat.com/show_bug.cgi?id=1651577

https://bugzilla.redhat.com/show_bug.cgi?id=1668082

https://bugzilla.redhat.com/show_bug.cgi?id=1668089

https://bugzilla.redhat.com/show_bug.cgi?id=1668097

https://bugzilla.redhat.com/show_bug.cgi?id=1686454

https://bugzilla.redhat.com/show_bug.cgi?id=1701233

https://bugzilla.redhat.com/show_bug.cgi?id=1701972

https://bugzilla.redhat.com/show_bug.cgi?id=1746830

https://bugzilla.redhat.com/show_bug.cgi?id=1750893

https://bugzilla.redhat.com/show_bug.cgi?id=1751295

https://bugzilla.redhat.com/show_bug.cgi?id=1757045

https://bugzilla.redhat.com/show_bug.cgi?id=1759888

https://bugzilla.redhat.com/show_bug.cgi?id=1768156

https://bugzilla.redhat.com/show_bug.cgi?id=1777806

https://bugzilla.redhat.com/show_bug.cgi?id=1793071

https://bugzilla.redhat.com/show_bug.cgi?id=1801698

https://bugzilla.redhat.com/show_bug.cgi?id=1802471

https://bugzilla.redhat.com/show_bug.cgi?id=1809835

https://bugzilla.redhat.com/show_bug.cgi?id=1810154

https://bugzilla.redhat.com/show_bug.cgi?id=1810179

https://bugzilla.redhat.com/show_bug.cgi?id=1813330

https://bugzilla.redhat.com/show_bug.cgi?id=1816784

https://bugzilla.redhat.com/show_bug.cgi?id=1818765

https://bugzilla.redhat.com/show_bug.cgi?id=1818877

https://bugzilla.redhat.com/show_bug.cgi?id=1828406

https://bugzilla.redhat.com/show_bug.cgi?id=1831732

https://bugzilla.redhat.com/show_bug.cgi?id=1831935

https://bugzilla.redhat.com/show_bug.cgi?id=1832331

https://bugzilla.redhat.com/show_bug.cgi?id=1833266

https://bugzilla.redhat.com/show_bug.cgi?id=1834264

https://bugzilla.redhat.com/show_bug.cgi?id=1834909

https://bugzilla.redhat.com/show_bug.cgi?id=1845211

https://bugzilla.redhat.com/show_bug.cgi?id=1845537

https://bugzilla.redhat.com/show_bug.cgi?id=1845596

https://bugzilla.redhat.com/show_bug.cgi?id=1846352

https://bugzilla.redhat.com/show_bug.cgi?id=1846434

https://bugzilla.redhat.com/show_bug.cgi?id=1847999

https://bugzilla.redhat.com/show_bug.cgi?id=1849914

https://bugzilla.redhat.com/show_bug.cgi?id=1851411

https://bugzilla.redhat.com/show_bug.cgi?id=1852244

https://bugzilla.redhat.com/show_bug.cgi?id=1853263

https://bugzilla.redhat.com/show_bug.cgi?id=1857157

https://bugzilla.redhat.com/show_bug.cgi?id=1858318

https://bugzilla.redhat.com/show_bug.cgi?id=1859213

https://bugzilla.redhat.com/show_bug.cgi?id=1863079

https://bugzilla.redhat.com/show_bug.cgi?id=1863616

https://bugzilla.redhat.com/show_bug.cgi?id=1866291

https://bugzilla.redhat.com/show_bug.cgi?id=1866938

https://bugzilla.redhat.com/show_bug.cgi?id=1868432

https://bugzilla.redhat.com/show_bug.cgi?id=1869311

https://bugzilla.redhat.com/show_bug.cgi?id=1870202

https://bugzilla.redhat.com/show_bug.cgi?id=1874015

https://bugzilla.redhat.com/show_bug.cgi?id=1875348

https://bugzilla.redhat.com/show_bug.cgi?id=1879604

Plugin Details

Severity: Medium

ID: 142435

File Name: redhat-RHSA-2020-4670.nasl

Version: 1.12

Type: local

Agent: unix

Published: 11/4/2020

Updated: 11/7/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.6

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2020-11022

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:softhsm-devel, p-cpe:/a:redhat:enterprise_linux:opendnssec, p-cpe:/a:redhat:enterprise_linux:ipa, p-cpe:/a:redhat:enterprise_linux:python3-ipaserver, p-cpe:/a:redhat:enterprise_linux:ipa-server-dns, p-cpe:/a:redhat:enterprise_linux:ipa-common, p-cpe:/a:redhat:enterprise_linux:ipa-server-trust-ad, p-cpe:/a:redhat:enterprise_linux:python3-jwcrypto, p-cpe:/a:redhat:enterprise_linux:slapi-nis, p-cpe:/a:redhat:enterprise_linux:ipa-client, p-cpe:/a:redhat:enterprise_linux:python3-ipalib, p-cpe:/a:redhat:enterprise_linux:ipa-client-common, p-cpe:/a:redhat:enterprise_linux:ipa-client-samba, p-cpe:/a:redhat:enterprise_linux:ipa-healthcheck, p-cpe:/a:redhat:enterprise_linux:python-jwcrypto, p-cpe:/a:redhat:enterprise_linux:python3-qrcode, p-cpe:/a:redhat:enterprise_linux:python-qrcode, p-cpe:/a:redhat:enterprise_linux:python3-qrcode-core, p-cpe:/a:redhat:enterprise_linux:ipa-selinux, cpe:/o:redhat:enterprise_linux:8, p-cpe:/a:redhat:enterprise_linux:ipa-server, p-cpe:/a:redhat:enterprise_linux:python3-custodia, p-cpe:/a:redhat:enterprise_linux:ipa-client-epn, p-cpe:/a:redhat:enterprise_linux:ipa-server-common, p-cpe:/a:redhat:enterprise_linux:bind-dyndb-ldap, p-cpe:/a:redhat:enterprise_linux:ipa-healthcheck-core, p-cpe:/a:redhat:enterprise_linux:python3-pyusb, p-cpe:/a:redhat:enterprise_linux:custodia, p-cpe:/a:redhat:enterprise_linux:python3-ipaclient, p-cpe:/a:redhat:enterprise_linux:python-yubico, p-cpe:/a:redhat:enterprise_linux:python3-kdcproxy, p-cpe:/a:redhat:enterprise_linux:ipa-python-compat, p-cpe:/a:redhat:enterprise_linux:pyusb, p-cpe:/a:redhat:enterprise_linux:python3-yubico, p-cpe:/a:redhat:enterprise_linux:softhsm, p-cpe:/a:redhat:enterprise_linux:python-kdcproxy

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/4/2020

Vulnerability Publication Date: 1/18/2018

Reference Information

CVE: CVE-2015-9251, CVE-2016-10735, CVE-2018-14040, CVE-2018-14042, CVE-2018-20676, CVE-2018-20677, CVE-2019-11358, CVE-2019-8331, CVE-2020-11022, CVE-2020-1722

BID: 108023, 105658, 107375

CWE: 400, 79

IAVA: 2018-A-0336-S, 2019-A-0020-S, 2019-A-0021-S, 2019-A-0128, 2019-A-0256-S, 2019-A-0384, 2020-A-0017, 2020-A-0150, 2020-A-0324, 2021-A-0032, 2021-A-0035-S, 2021-A-0196

IAVB: 2020-B-0030

RHSA: 2020:4670