RHEL 7 : Satellite 6.9.9 Async Bug Fix Update (Important) (RHSA-2022:1478)

critical Nessus Plugin ID 160039

Synopsis

The remote Red Hat host is missing a security update.

Description

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2022:1478 advisory.

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

Security Fix(es):
2023859 CVE-2021-27023 - puppet: unsafe HTTP redirect

This update fixes the following bugs:

1929347 pulp3: Ensure migration plugin runs in FIPS mode and respects the ALLOWED_CONTENT_CHECKSUMS configuration 1992267 Incorrect puppet module count when a content view is added to the composite content view.
1998796 Pulp 3 migration failed with missing repositories.
2005392 If the migration plan is empty, all repositories get migrated.
2019563 Missing fields on MD5 repos in repomd.xml on a FIPS enabled satellite 2025804 Option Verify Checksum not listed under Advanced Sync Options 2027086 The katello:pulp3_migration reports wrong failed component names if one or all pulp3 related services has failed to start during content-migration process 2027127 Pulp 2 to 3 migration fails on certain repos during the upgrade with FileNotFoundError: [Errno 2] No such file or directory: in prepare_metadata_files 2027250 CVE-2021-27023 puppetserver: puppet: unsafe HTTP redirect [rhn_satellite_6.9] 2027253 CVE-2021-27023 puppet-agent: puppet: unsafe HTTP redirect [rhn_satellite_6.9] 2032843 pulp3: 2to3 migration fails with Katello::Errors::Pulp3Error: the cursor;_django_curs_XXXX_XXXX does not exist 2033951 [Pulp3] The pulp2-3 migration fails to migrate Alma Linux BaseOS repo with error Katello::Errors::Pulp3Error: No declared artifact with relative path images boot.iso 2038739 Extremely difficult to tell what repositories to Verify Checksum on when there are hundreds or thousands of packages listed as corrupted 2038742 pulp3 content migration failed with Katello::Errors::Pulp3Error: local variable item referenced before assignment 2039059 Pulp3: Migration fails with error Katello::Errors::Pulp3Error: Empty variable tag 2039112 pulp3 migration stats drastically underestimate migration times 2043742 foreman-rake katello:approve_corrupted_migration_content fails with services 2043933 The pulp2-pulp3 migration should fail if not all the errata content has been migrated while upgrading to Satellite 6.10 2051970 pulp2to3 migration fails to migrate docker_blob content due to aggregate mongo 100M limit 2061715 Publication creation (during migration to pulp3 as well) can fail if pulp is NFS share

Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected puppet-agent and / or puppetserver packages.

See Also

http://www.nessus.org/u?2701a8ef

https://access.redhat.com/security/updates/classification/#important

https://access.redhat.com/errata/RHSA-2022:1478

https://bugzilla.redhat.com/show_bug.cgi?id=1929347

https://bugzilla.redhat.com/show_bug.cgi?id=1992267

https://bugzilla.redhat.com/show_bug.cgi?id=1998796

https://bugzilla.redhat.com/show_bug.cgi?id=2005392

https://bugzilla.redhat.com/show_bug.cgi?id=2019563

https://bugzilla.redhat.com/show_bug.cgi?id=2023859

https://bugzilla.redhat.com/show_bug.cgi?id=2025804

https://bugzilla.redhat.com/show_bug.cgi?id=2027086

https://bugzilla.redhat.com/show_bug.cgi?id=2027127

https://bugzilla.redhat.com/show_bug.cgi?id=2032843

https://bugzilla.redhat.com/show_bug.cgi?id=2033951

https://bugzilla.redhat.com/show_bug.cgi?id=2038739

https://bugzilla.redhat.com/show_bug.cgi?id=2038742

https://bugzilla.redhat.com/show_bug.cgi?id=2039059

https://bugzilla.redhat.com/show_bug.cgi?id=2039112

https://bugzilla.redhat.com/show_bug.cgi?id=2043742

https://bugzilla.redhat.com/show_bug.cgi?id=2043933

https://bugzilla.redhat.com/show_bug.cgi?id=2051970

https://bugzilla.redhat.com/show_bug.cgi?id=2061715

Plugin Details

Severity: Critical

ID: 160039

File Name: redhat-RHSA-2022-1478.nasl

Version: 1.8

Type: local

Agent: unix

Published: 4/21/2022

Updated: 11/7/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

Vendor

Vendor Severity: Important

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2021-27023

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:puppet-agent, p-cpe:/a:redhat:enterprise_linux:puppetserver, cpe:/o:redhat:enterprise_linux:7

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 4/20/2022

Vulnerability Publication Date: 11/18/2021

Reference Information

CVE: CVE-2021-27023

CWE: 200

RHSA: 2022:1478