RHEL 6 : rhevm-reports 3.3.3 (RHSA-2014:0558)

low Nessus Plugin ID 79022

Synopsis

The remote Red Hat host is missing a security update.

Description

An updated rhevm-reports package that fixes three security issues and one bug is now available.

The Red Hat Security Response Team has rated this update as having Low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The Red Hat Enterprise Virtualization reports package provides a suite of pre-configured reports and dashboards that enable you to monitor the system. The reports module is based on JasperReports and JasperServer, and can also be used to create ad-hoc reports.

It was found that the ovirt-engine-reports setup script logged the reports database password in plain text to a world-readable file. An attacker with a local user account on the Red Hat Enterprise Virtualization Manager server could use this flaw to access, read, and modify the reports database. (CVE-2014-0199)

Note: Applying the update provided by this advisory does not modify any existing log files. It is recommended that you search your existing log files and remove any occurrences of plain text passwords manually.

It was found that the Red Hat Enterprise Virtualization Manager reports datasource configuration file (js-jboss7-ds.xml) was world-readable. An attacker with a local user account on the Red Hat Enterprise Virtualization Manager server could use this flaw to access, read, and modify the reports database. (CVE-2014-0200)

It was found that multiple ovirt-engine-reports configuration files were world-readable. An attacker with a local user account on the Red Hat Enterprise Virtualization Manager server could use this flaw to access a variety of potentially sensitive information. (CVE-2014-0201)

These issues were discovered by Red Hat.

This update also fixes the following bug :

* Previously, rhevm-reports-setup failed if the default spacing of the pg_hba.conf file was manually modified. Now, the command does not check exact spacing in the file, and setup completes successfully.
(BZ#1085374)

All rhevm-reports users are advised to upgrade to this updated package, which corrects these issues.

Solution

Update the affected rhevm-reports package.

See Also

https://access.redhat.com/errata/RHSA-2014:0558

https://access.redhat.com/security/cve/cve-2014-0200

https://access.redhat.com/security/cve/cve-2014-0199

https://access.redhat.com/security/cve/cve-2014-0201

Plugin Details

Severity: Low

ID: 79022

File Name: redhat-RHSA-2014-0558.nasl

Version: 1.14

Type: local

Agent: unix

Published: 11/8/2014

Updated: 1/14/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:rhevm-reports, cpe:/o:redhat:enterprise_linux:6

Required KB Items: Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu, Host/local_checks_enabled

Exploit Ease: No known exploits are available

Patch Publication Date: 5/27/2014

Vulnerability Publication Date: 5/29/2014

Reference Information

CVE: CVE-2014-0199, CVE-2014-0200, CVE-2014-0201

BID: 67682, 67684

RHSA: 2014:0558