Issued:
2012-12-04
Updated:
2012-12-04

RHSA-2012:1543 - Important: CloudForms System Engine 1.1 update

Synopsis

Important: CloudForms System Engine 1.1 update

Type/Severity

Security Advisory Important

Topic

Updated CloudForms System Engine packages that fix multiple security issues, several bugs, and add enhancements are now available.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Description

Red Hat CloudForms is an on-premise hybrid cloud Infrastructure-as-a-Service (IaaS) product that lets you create and manage private and public clouds.

This update fixes bugs in and adds enhancements to the System Engine packages, and upgrades the system to CloudForms 1.1.

This update also fixes the following security issues:

It was discovered that Katello did not properly check user permissions when handling certain requests. An authenticated remote attacker could use this flaw to download consumer certificates or change settings of other users' systems if they knew the target system's UUID. (CVE-2012-5603)

It was discovered that Pulp logged administrative passwords to a world readable log file. A local attacker could use this flaw to control systems deployed and managed by CloudForms. (CVE-2012-3538)

It was discovered that the Pulp configuration file pulp.conf was installed as world readable. A local attacker could use this flaw to view the administrative password, allowing them to control systems deployed and managed by CloudForms. (CVE-2012-4574)

It was discovered that grinder used insecure permissions for its cache directory. A local attacker could use this flaw to access or modify files in the cache. (CVE-2012-5605)

The CVE-2012-5603 issue was discovered by Lukas Zapletal of Red Hat; CVE-2012-3538 was discovered by James Laska of Red Hat; CVE-2012-4574 was discovered by Kurt Seifried of Red Hat; and CVE-2012-5605 was discovered by James Labocki of Red Hat.

After upgrading to these new packages, follow the instructions in the "4.1. Upgrading CloudForms System Engine" section of the CloudForms 1.1 Installation Guide:

This content is not included.https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Installation_Guide/index.html

To view the full list of changes in this update, view the CloudForms Technical Notes:

This content is not included.https://access.redhat.com/knowledge/docs/en-US/CloudForms/1.1/html/Technical_Notes/index.html

Users are advised to upgrade to these updated CloudForms System Engine packages, which resolve these issues and add these enhancements.

Solution

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258

Affected Products

ProductVersionArch
Red Hat Enterprise Linux Server5x86_64
Red Hat Enterprise Linux Server5i386

Updated Packages

  • gofer-0.66.1-2.el5.src.rpm
  • gofer-0.66.1-2.el5.noarch.rpm
  • katello-agent-1.1.2-1.el5.noarch.rpm
  • gofer-watchdog-0.66.1-2.el5.noarch.rpm
  • python-gofer-0.66.1-2.el5.noarch.rpm
  • gofer-package-0.66.1-2.el5.noarch.rpm
  • katello-agent-1.1.2-1.el5.src.rpm

Fixes

CVEs

References

Additional information