RHEL 6 / 7 : Satellite 6.1.5 update (Moderate) (RHSA-2015:2622)

medium Nessus Plugin ID 87452

Synopsis

The remote Red Hat host is missing a security update.

Description

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2015:2622 advisory.

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

The following security issue is addressed with this release:

Satellite failed to properly enforce permissions on the show and destroy actions for reports. This could lead to an authenticated user with show and/or destroy report permissions being able to view and/or delete any reports held in Foreman. (CVE-2015-5233)

In addition, this update adds the following enhancement:

* Satellite 6 has been enhanced with the PXE-Less Discovery feature.
This feature supports the use of a single ISO to provision machines against specific host groups. The users can provide the network information so that the host does not need to be created on Satellite in advance and DHCP does not need to be used. (BZ#1258061)

This update also fixes the following bugs:

* The installer was not processing the '\' character correctly, leading to failed installations using proxies. This character is now handled correctly, improving the installation experience. (BZ#1180637)

* Help text provided by the installer had a typo which has now been fixed. (BZ#1209139)

* The hammer container list command did not provide the container ID.
This data is now provided. (BZ#1230915)

* Repository Sync Tasks in the UI were reported as successful if there was an unhandled exception in the code. These exceptions are now handled correctly, and the correct status is reported. (BZ#1246054)

* The installer would remove the dhcpd.conf even if the installer was told not to. This would remove users' configurations. The installer has been updated to not manage this file unless requested.
(BZ#1247397)

* The history diff page for templates was opening two pages when only one was required. The duplicate page is no longer opened. (BZ#1254909)

* During provisioning, the default root password was not used when a hostgroup had a blank string for the root password. Since the UI can not set an empty value, the code was updated to cause either no or an empty root password to use the default. (BZ#1255021)

* Multi selection was not working for discovered hosts. This feature is now working. (BZ#1258521)

* When there is a mac address conflict, discovered hosts to not change their state to Built. The code has been updated to handle this case.
(BZ#1258578)

* Deleting a lifecycle environment would fail with a dependent hosts error. This was due to an incorrect mapping between environments and hosts. This mapping has been fixed, and the environments can be deleted. (BZ#1269441)

* There were performance issues in package installations. The speed of this action has been improved (BZ#1276443, BZ#1269509, BZ#1277269)

* Synchronization tasks seemed to be randomly stuck to do timeouts.
The locking in the qpid code has been improved to keep these tasks from getting stuck (BZ#1279502)

* This change enables users of CloudForms 4.0 to proxy Red Hat Insights requests through Satellite. The Satellite can now act as a proxy for both CloudForms 4.0 and Satellite-only use cases.
(BZ#1276676)

Users of Red Hat Satellite are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add this enhancement.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?63b2259d

https://access.redhat.com/errata/RHSA-2015:2622

https://access.redhat.com/security/updates/classification/#moderate

https://bugzilla.redhat.com/show_bug.cgi?id=1180637

https://bugzilla.redhat.com/show_bug.cgi?id=1209139

https://bugzilla.redhat.com/show_bug.cgi?id=1209929

https://bugzilla.redhat.com/show_bug.cgi?id=1230915

https://bugzilla.redhat.com/show_bug.cgi?id=1246054

https://bugzilla.redhat.com/show_bug.cgi?id=1254909

https://bugzilla.redhat.com/show_bug.cgi?id=1255021

https://bugzilla.redhat.com/show_bug.cgi?id=1258061

https://bugzilla.redhat.com/show_bug.cgi?id=1258521

https://bugzilla.redhat.com/show_bug.cgi?id=1258578

https://bugzilla.redhat.com/show_bug.cgi?id=1262443

https://bugzilla.redhat.com/show_bug.cgi?id=1263741

https://bugzilla.redhat.com/show_bug.cgi?id=1269509

https://bugzilla.redhat.com/show_bug.cgi?id=1276443

https://bugzilla.redhat.com/show_bug.cgi?id=1276676

https://bugzilla.redhat.com/show_bug.cgi?id=1277269

https://bugzilla.redhat.com/show_bug.cgi?id=1279502

Plugin Details

Severity: Medium

ID: 87452

File Name: redhat-RHSA-2015-2622.nasl

Version: 2.13

Type: local

Agent: unix

Published: 12/17/2015

Updated: 6/3/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.5

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2015-5233

CVSS v3

Risk Factor: Medium

Base Score: 4.2

Temporal Score: 3.7

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:foreman-vmware, p-cpe:/a:redhat:enterprise_linux:foreman, p-cpe:/a:redhat:enterprise_linux:foreman-compute, p-cpe:/a:redhat:enterprise_linux:gofer, p-cpe:/a:redhat:enterprise_linux:rubygem-newt, p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_discovery_image, cpe:/o:redhat:enterprise_linux:6, p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-foreman_discovery, p-cpe:/a:redhat:enterprise_linux:python-gofer, p-cpe:/a:redhat:enterprise_linux:foreman-postgresql, p-cpe:/a:redhat:enterprise_linux:libqpid-dispatch, p-cpe:/a:redhat:enterprise_linux:qpid-dispatch, p-cpe:/a:redhat:enterprise_linux:foreman-proxy, p-cpe:/a:redhat:enterprise_linux:katello-installer-base, p-cpe:/a:redhat:enterprise_linux:python-gofer-proton, p-cpe:/a:redhat:enterprise_linux:python-gofer-qpid, p-cpe:/a:redhat:enterprise_linux:qpid-proton-c, p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-foreman-redhat_access, p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_discovery, p-cpe:/a:redhat:enterprise_linux:capsule-installer, p-cpe:/a:redhat:enterprise_linux:foreman-discovery-image, p-cpe:/a:redhat:enterprise_linux:python-qpid-proton, p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-redhat_access_lib, p-cpe:/a:redhat:enterprise_linux:rubygem-hammer_cli_foreman_docker-doc, p-cpe:/a:redhat:enterprise_linux:katello-installer, p-cpe:/a:redhat:enterprise_linux:qpid-dispatch-tools, p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-foreman_bootdisk, p-cpe:/a:redhat:enterprise_linux:foreman-ovirt, p-cpe:/a:redhat:enterprise_linux:qpid-dispatch-router, p-cpe:/a:redhat:enterprise_linux:qpid-proton, p-cpe:/a:redhat:enterprise_linux:foreman-gce, p-cpe:/a:redhat:enterprise_linux:python-nectar, cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:python-qpid, p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-katello, p-cpe:/a:redhat:enterprise_linux:foreman-libvirt, p-cpe:/a:redhat:enterprise_linux:katello-agent, p-cpe:/a:redhat:enterprise_linux:foreman-debug, p-cpe:/a:redhat:enterprise_linux:rubygem-hammer_cli_foreman_docker

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 12/15/2015

Vulnerability Publication Date: 4/11/2016

Reference Information

CVE: CVE-2015-5233

CWE: 284

RHSA: 2015:2622