Detections
Analytics
RHEL 7 : CloudForms 4.7.5 (RHSA-2019:1429)
high Nessus Plugin ID 193687
Language:
Synopsis
The remote Red Hat host is missing one or more security updates.Description
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:1429 advisory.Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.
Security Fix(es):
* rubygems: Installing a malicious gem may lead to arbitrary code execution (CVE-2019-8324)
* rubygems: Delete directory using symlink when decompressing tar (CVE-2019-8320)
* rubygems: Escape sequence injection vulnerability in verbose (CVE-2019-8321)
* rubygems: Escape sequence injection vulnerability in gem owner (CVE-2019-8322)
* rubygems: Escape sequence injection vulnerability in API response handling (CVE-2019-8323)
* rubygems: Escape sequence injection vulnerability in errors (CVE-2019-8325)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
https://bugzilla.redhat.com/show_bug.cgi?id=1711033
https://bugzilla.redhat.com/show_bug.cgi?id=1711034
https://bugzilla.redhat.com/show_bug.cgi?id=1711035
https://bugzilla.redhat.com/show_bug.cgi?id=1711036
https://bugzilla.redhat.com/show_bug.cgi?id=1711283
https://bugzilla.redhat.com/show_bug.cgi?id=1711285
https://bugzilla.redhat.com/show_bug.cgi?id=1711957
https://bugzilla.redhat.com/show_bug.cgi?id=1711981
https://bugzilla.redhat.com/show_bug.cgi?id=1712135
https://bugzilla.redhat.com/show_bug.cgi?id=1712440
https://bugzilla.redhat.com/show_bug.cgi?id=1712595
https://bugzilla.redhat.com/show_bug.cgi?id=1713477
https://bugzilla.redhat.com/show_bug.cgi?id=1713731
https://bugzilla.redhat.com/show_bug.cgi?id=1713732
https://bugzilla.redhat.com/show_bug.cgi?id=1717500
https://bugzilla.redhat.com/show_bug.cgi?id=1717501
http://www.nessus.org/u?793c545e
https://access.redhat.com/errata/RHSA-2019:1429
https://access.redhat.com/security/updates/classification/#important
http://www.nessus.org/u?5668a5e0
https://bugzilla.redhat.com/show_bug.cgi?id=1669023
https://bugzilla.redhat.com/show_bug.cgi?id=1692512
https://bugzilla.redhat.com/show_bug.cgi?id=1692514
https://bugzilla.redhat.com/show_bug.cgi?id=1692516
https://bugzilla.redhat.com/show_bug.cgi?id=1692519
https://bugzilla.redhat.com/show_bug.cgi?id=1692520
https://bugzilla.redhat.com/show_bug.cgi?id=1692522
https://bugzilla.redhat.com/show_bug.cgi?id=1703104
https://bugzilla.redhat.com/show_bug.cgi?id=1710497
https://bugzilla.redhat.com/show_bug.cgi?id=1710578
https://bugzilla.redhat.com/show_bug.cgi?id=1710606
https://bugzilla.redhat.com/show_bug.cgi?id=1710608
https://bugzilla.redhat.com/show_bug.cgi?id=1710610
https://bugzilla.redhat.com/show_bug.cgi?id=1710998
Plugin Details
Severity: High
ID: 193687
File Name: redhat-RHSA-2019-1429.nasl
Version: 1.1
Type: local
Agent: unix
Family: Red Hat Local Security Checks
Published: 4/22/2024
Updated: 6/3/2024
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.0
CVSS v2
Risk Factor: High
Base Score: 8.8
Temporal Score: 6.9
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:C/A:C
CVSS Score Source: CVE-2019-8320
CVSS v3
Risk Factor: High
Base Score: 8.8
Temporal Score: 7.9
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
CVSS Score Source: CVE-2019-8324
Vulnerability Information
CPE: p-cpe:/a:redhat:enterprise_linux:ruby-irb, p-cpe:/a:redhat:enterprise_linux:cfme-appliance-common, p-cpe:/a:redhat:enterprise_linux:cfme-gemset, p-cpe:/a:redhat:enterprise_linux:rubygem-net-telnet, p-cpe:/a:redhat:enterprise_linux:rubygem-rdoc, p-cpe:/a:redhat:enterprise_linux:rubygem-io-console, p-cpe:/a:redhat:enterprise_linux:rubygem-psych, p-cpe:/a:redhat:enterprise_linux:rubygem-minitest, p-cpe:/a:redhat:enterprise_linux:rubygem-xmlrpc, p-cpe:/a:redhat:enterprise_linux:rubygem-openssl, p-cpe:/a:redhat:enterprise_linux:cfme, p-cpe:/a:redhat:enterprise_linux:cfme-appliance-tools, p-cpe:/a:redhat:enterprise_linux:rubygem-did_you_mean, p-cpe:/a:redhat:enterprise_linux:cfme-amazon-smartstate, p-cpe:/a:redhat:enterprise_linux:ruby-libs, p-cpe:/a:redhat:enterprise_linux:rubygem-bigdecimal, p-cpe:/a:redhat:enterprise_linux:cfme-appliance, p-cpe:/a:redhat:enterprise_linux:rubygems-devel, p-cpe:/a:redhat:enterprise_linux:ruby-devel, p-cpe:/a:redhat:enterprise_linux:ruby-doc, p-cpe:/a:redhat:enterprise_linux:rubygem-power_assert, p-cpe:/a:redhat:enterprise_linux:rubygems, cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:rubygem-test-unit, p-cpe:/a:redhat:enterprise_linux:rubygem-rake, p-cpe:/a:redhat:enterprise_linux:ruby
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 6/11/2019
Vulnerability Publication Date: 4/11/2019
Reference Information
CVE: CVE-2019-8320, CVE-2019-8321, CVE-2019-8322, CVE-2019-8323, CVE-2019-8324, CVE-2019-8325