RHEL 6 : candlepin in Subscription Asset Manager (RHSA-2013:1863)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated candlepin packages that fix one security issue are now
available for Red Hat Subscription Asset Manager.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System
(CVSS) base score, which gives a detailed severity rating, is
available from the CVE link in the References section.

Candlepin is an open source entitlement management system. It tracks
the products which an owner has subscribed too, and allows the owner
to consume the subscriptions based on configurable business rules.

It was discovered that, by default, Candlepin enabled a very weak
authentication scheme if no setting was specified in the configuration
file. (CVE-2013-6439)

This issue was discovered by Adrian Likins of Red Hat.

Note: The configuration file as supplied by Subscription Asset Manager
1.2 and 1.3 had this unsafe authentication mode disabled
however,
users who have upgraded from Subscription Asset Manager 1.1 or earlier
and who have not added 'candlepin.auth.trusted.enable = false' to the
Candlepin configuration will be affected by this issue.

Users of Subscription Asset Manager 1.0 or 1.1 who cannot upgrade
should add the following to '/etc/candlepin/candlepin.conf' :

candlepin.auth.trusted.enable = false candlepin.auth.trusted.enabled =
false

Users of Subscription Asset Manager 1.2 or 1.3 who cannot upgrade
should only need to add :

candlepin.auth.trusted.enable = false

Installing this upgrade disables the unsafe authentication scheme
unless it is specifically enabled in the configuration.

Users of Red Hat Subscription Asset Manager are advised to upgrade to
these updated packages, which correct this issue. Candlepin must be
restarted for this update to take effect.

See also :

https://www.redhat.com/security/data/cve/CVE-2013-6439.html
http://rhn.redhat.com/errata/RHSA-2013-1863.html

Solution :

Update the affected candlepin, candlepin-selinux and / or
candlepin-tomcat6 packages.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Red Hat Local Security Checks

Nessus Plugin ID: 76187 ()

Bugtraq ID: 64515

CVE ID: CVE-2013-6439