Detections
Analytics
RHEL 7 : Satellite 6.3 (RHSA-2018:0336)
high Nessus Plugin ID 107053
Language:
Synopsis
The remote Red Hat host is missing one or more security updates.Description
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:0336 advisory.- rubygem-will_paginate: XSS vulnerabilities (CVE-2013-6459)
- foreman: models with a 'belongs_to' association to an Organization do not verify association belongs to that Organization (CVE-2014-8183)
- V8: integer overflow leading to buffer overflow in Zone::New (CVE-2016-1669)
- foreman: inspect in a provisioning template exposes sensitive controller information (CVE-2016-3693)
- pulp: Leakage of CA key in pulp-qpid-ssl-cfg (CVE-2016-3696)
- pulp: Unsafe use of bash $RANDOM for NSS DB password and seed (CVE-2016-3704)
- foreman: privilege escalation through Organization and Locations API (CVE-2016-4451)
- foreman: Information disclosure in provisioning template previews (CVE-2016-4995)
- foreman: inside discovery-debug, the root password is displayed in plaintext (CVE-2016-4996)
- foreman: Persistent XSS in Foreman remote execution plugin (CVE-2016-6319)
- foreman: Foreman information leak through unauthorized multiple_checkboxes helper (CVE-2016-7077)
- foreman: Information leak through organizations and locations feature (CVE-2016-7078)
- foreman: Stored XSS vulnerability in remote execution plugin (CVE-2016-8613)
- foreman: Stored XSS in org/loc wizard (CVE-2016-8634)
- foreman: Stored XSS via organization/location with HTML in name (CVE-2016-8639)
- foreman-debug: missing obfuscation of sensitive information (CVE-2016-9593)
- katello-debug: Possible symlink attacks due to use of predictable file names (CVE-2016-9595)
- puppet: Unsafe YAML deserialization (CVE-2017-2295)
- rubygem-hammer_cli: no verification of API server's SSL certificate (CVE-2017-2667)
- foreman: Image password leak (CVE-2017-2672)
- Interconnect: Denial of Service vulnerability in Red Hat JBoss AMQ Interconnect (CVE-2017-15699)
- katello: SQL inject in errata-related REST API (CVE-2018-14623)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
http://www.nessus.org/u?809d0a34
http://www.nessus.org/u?eab6a4df
https://access.redhat.com/errata/RHSA-2018:0336
https://access.redhat.com/security/updates/classification/#important
https://bugzilla.redhat.com/show_bug.cgi?id=1019214
https://bugzilla.redhat.com/show_bug.cgi?id=1046642
https://bugzilla.redhat.com/show_bug.cgi?id=1132402
https://bugzilla.redhat.com/show_bug.cgi?id=1133515
https://bugzilla.redhat.com/show_bug.cgi?id=1140671
https://bugzilla.redhat.com/show_bug.cgi?id=1144042
https://bugzilla.redhat.com/show_bug.cgi?id=1145653
https://bugzilla.redhat.com/show_bug.cgi?id=1154382
https://bugzilla.redhat.com/show_bug.cgi?id=1177766
https://bugzilla.redhat.com/show_bug.cgi?id=1187338
https://bugzilla.redhat.com/show_bug.cgi?id=1190002
https://bugzilla.redhat.com/show_bug.cgi?id=1199204
https://bugzilla.redhat.com/show_bug.cgi?id=1210878
https://bugzilla.redhat.com/show_bug.cgi?id=1215825
https://bugzilla.redhat.com/show_bug.cgi?id=1217523
https://bugzilla.redhat.com/show_bug.cgi?id=1245642
https://bugzilla.redhat.com/show_bug.cgi?id=1255484
https://bugzilla.redhat.com/show_bug.cgi?id=1257588
https://bugzilla.redhat.com/show_bug.cgi?id=1260697
https://bugzilla.redhat.com/show_bug.cgi?id=1263748
https://bugzilla.redhat.com/show_bug.cgi?id=1264043
https://bugzilla.redhat.com/show_bug.cgi?id=1264732
https://bugzilla.redhat.com/show_bug.cgi?id=1265125
https://bugzilla.redhat.com/show_bug.cgi?id=1270771
https://bugzilla.redhat.com/show_bug.cgi?id=1274159
https://bugzilla.redhat.com/show_bug.cgi?id=1278642
https://bugzilla.redhat.com/show_bug.cgi?id=1278644
https://bugzilla.redhat.com/show_bug.cgi?id=1284686
https://bugzilla.redhat.com/show_bug.cgi?id=1291935
https://bugzilla.redhat.com/show_bug.cgi?id=1292510
https://bugzilla.redhat.com/show_bug.cgi?id=1293538
https://bugzilla.redhat.com/show_bug.cgi?id=1303103
https://bugzilla.redhat.com/show_bug.cgi?id=1304608
https://bugzilla.redhat.com/show_bug.cgi?id=1305059
https://bugzilla.redhat.com/show_bug.cgi?id=1306723
https://bugzilla.redhat.com/show_bug.cgi?id=1309569
https://bugzilla.redhat.com/show_bug.cgi?id=1309944
https://bugzilla.redhat.com/show_bug.cgi?id=1313634
https://bugzilla.redhat.com/show_bug.cgi?id=1317614
https://bugzilla.redhat.com/show_bug.cgi?id=1318534
https://bugzilla.redhat.com/show_bug.cgi?id=1323436
https://bugzilla.redhat.com/show_bug.cgi?id=1324508
https://bugzilla.redhat.com/show_bug.cgi?id=1327030
https://bugzilla.redhat.com/show_bug.cgi?id=1327471
https://bugzilla.redhat.com/show_bug.cgi?id=1328238
https://bugzilla.redhat.com/show_bug.cgi?id=1328930
https://bugzilla.redhat.com/show_bug.cgi?id=1330264
https://bugzilla.redhat.com/show_bug.cgi?id=1335449
https://bugzilla.redhat.com/show_bug.cgi?id=1336924
https://bugzilla.redhat.com/show_bug.cgi?id=1339715
https://bugzilla.redhat.com/show_bug.cgi?id=1339889
https://bugzilla.redhat.com/show_bug.cgi?id=1340559
https://bugzilla.redhat.com/show_bug.cgi?id=1342623
https://bugzilla.redhat.com/show_bug.cgi?id=1344049
https://bugzilla.redhat.com/show_bug.cgi?id=1348939
https://bugzilla.redhat.com/show_bug.cgi?id=1349136
https://bugzilla.redhat.com/show_bug.cgi?id=1361473
https://bugzilla.redhat.com/show_bug.cgi?id=1365815
https://bugzilla.redhat.com/show_bug.cgi?id=1366029
https://bugzilla.redhat.com/show_bug.cgi?id=1370168
https://bugzilla.redhat.com/show_bug.cgi?id=1376134
https://bugzilla.redhat.com/show_bug.cgi?id=1376191
https://bugzilla.redhat.com/show_bug.cgi?id=1382356
https://bugzilla.redhat.com/show_bug.cgi?id=1382735
https://bugzilla.redhat.com/show_bug.cgi?id=1384146
https://bugzilla.redhat.com/show_bug.cgi?id=1384548
https://bugzilla.redhat.com/show_bug.cgi?id=1386266
https://bugzilla.redhat.com/show_bug.cgi?id=1386278
https://bugzilla.redhat.com/show_bug.cgi?id=1390545
https://bugzilla.redhat.com/show_bug.cgi?id=1391831
https://bugzilla.redhat.com/show_bug.cgi?id=1393291
https://bugzilla.redhat.com/show_bug.cgi?id=1393409
https://bugzilla.redhat.com/show_bug.cgi?id=1394056
https://bugzilla.redhat.com/show_bug.cgi?id=1402922
https://bugzilla.redhat.com/show_bug.cgi?id=1406384
https://bugzilla.redhat.com/show_bug.cgi?id=1406729
https://bugzilla.redhat.com/show_bug.cgi?id=1410872
https://bugzilla.redhat.com/show_bug.cgi?id=1412186
https://bugzilla.redhat.com/show_bug.cgi?id=1413851
https://bugzilla.redhat.com/show_bug.cgi?id=1416119
https://bugzilla.redhat.com/show_bug.cgi?id=1417073
https://bugzilla.redhat.com/show_bug.cgi?id=1420711
https://bugzilla.redhat.com/show_bug.cgi?id=1422458
https://bugzilla.redhat.com/show_bug.cgi?id=1425121
https://bugzilla.redhat.com/show_bug.cgi?id=1425523
https://bugzilla.redhat.com/show_bug.cgi?id=1426404
https://bugzilla.redhat.com/show_bug.cgi?id=1426411
https://bugzilla.redhat.com/show_bug.cgi?id=1426448
https://bugzilla.redhat.com/show_bug.cgi?id=1428761
https://bugzilla.redhat.com/show_bug.cgi?id=1429426
https://bugzilla.redhat.com/show_bug.cgi?id=1434069
https://bugzilla.redhat.com/show_bug.cgi?id=1435972
https://bugzilla.redhat.com/show_bug.cgi?id=1436262
https://bugzilla.redhat.com/show_bug.cgi?id=1438376
https://bugzilla.redhat.com/show_bug.cgi?id=1439537
https://bugzilla.redhat.com/show_bug.cgi?id=1439850
https://bugzilla.redhat.com/show_bug.cgi?id=1445807
https://bugzilla.redhat.com/show_bug.cgi?id=1446707
https://bugzilla.redhat.com/show_bug.cgi?id=1446719
https://bugzilla.redhat.com/show_bug.cgi?id=1452124
https://bugzilla.redhat.com/show_bug.cgi?id=1455057
https://bugzilla.redhat.com/show_bug.cgi?id=1455455
https://bugzilla.redhat.com/show_bug.cgi?id=1458817
https://bugzilla.redhat.com/show_bug.cgi?id=1464224
https://bugzilla.redhat.com/show_bug.cgi?id=1468248
https://bugzilla.redhat.com/show_bug.cgi?id=1480346
https://bugzilla.redhat.com/show_bug.cgi?id=1480348
https://bugzilla.redhat.com/show_bug.cgi?id=1480886
https://bugzilla.redhat.com/show_bug.cgi?id=1493001
https://bugzilla.redhat.com/show_bug.cgi?id=1493494
Plugin Details
Severity: High
ID: 107053
File Name: redhat-RHSA-2018-0336.nasl
Version: 3.8
Type: local
Agent: unix
Family: Red Hat Local Security Checks
Published: 2/28/2018
Updated: 4/27/2024
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 9.3
Temporal Score: 7.3
Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2016-1669
CVSS v3
Risk Factor: High
Base Score: 8.8
Temporal Score: 7.9
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
CVSS Score Source: CVE-2017-2672
Vulnerability Information
CPE: p-cpe:/a:redhat:enterprise_linux:candlepin, p-cpe:/a:redhat:enterprise_linux:candlepin-selinux, p-cpe:/a:redhat:enterprise_linux:foreman, p-cpe:/a:redhat:enterprise_linux:foreman-bootloaders-redhat, p-cpe:/a:redhat:enterprise_linux:foreman-bootloaders-redhat-tftpboot, p-cpe:/a:redhat:enterprise_linux:foreman-cli, p-cpe:/a:redhat:enterprise_linux:foreman-compute, p-cpe:/a:redhat:enterprise_linux:foreman-debug, p-cpe:/a:redhat:enterprise_linux:foreman-discovery-image, p-cpe:/a:redhat:enterprise_linux:foreman-ec2, p-cpe:/a:redhat:enterprise_linux:foreman-gce, p-cpe:/a:redhat:enterprise_linux:foreman-installer, p-cpe:/a:redhat:enterprise_linux:foreman-installer-katello, p-cpe:/a:redhat:enterprise_linux:foreman-libvirt, p-cpe:/a:redhat:enterprise_linux:foreman-openstack, p-cpe:/a:redhat:enterprise_linux:foreman-ovirt, p-cpe:/a:redhat:enterprise_linux:foreman-postgresql, p-cpe:/a:redhat:enterprise_linux:foreman-proxy, p-cpe:/a:redhat:enterprise_linux:foreman-proxy-content, p-cpe:/a:redhat:enterprise_linux:foreman-rackspace, p-cpe:/a:redhat:enterprise_linux:foreman-selinux, p-cpe:/a:redhat:enterprise_linux:foreman-vmware, p-cpe:/a:redhat:enterprise_linux:hiera, p-cpe:/a:redhat:enterprise_linux:katello, p-cpe:/a:redhat:enterprise_linux:katello-certs-tools, p-cpe:/a:redhat:enterprise_linux:katello-client-bootstrap, p-cpe:/a:redhat:enterprise_linux:katello-common, p-cpe:/a:redhat:enterprise_linux:katello-debug, p-cpe:/a:redhat:enterprise_linux:katello-installer-base, p-cpe:/a:redhat:enterprise_linux:katello-selinux, p-cpe:/a:redhat:enterprise_linux:katello-service, p-cpe:/a:redhat:enterprise_linux:kobo, p-cpe:/a:redhat:enterprise_linux:pulp, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_admin, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_bootdisk, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_discovery, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_docker, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_openscap, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_remote_execution, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_tasks, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_virt_who_configure, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_katello, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-katello, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-katello_ostree, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ovirt_provision_plugin, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_dynflow_core, cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:pulp-admin-client, p-cpe:/a:redhat:enterprise_linux:pulp-docker, p-cpe:/a:redhat:enterprise_linux:pulp-docker-admin-extensions, p-cpe:/a:redhat:enterprise_linux:pulp-docker-plugins, p-cpe:/a:redhat:enterprise_linux:pulp-katello, p-cpe:/a:redhat:enterprise_linux:pulp-nodes-child, p-cpe:/a:redhat:enterprise_linux:pulp-nodes-common, p-cpe:/a:redhat:enterprise_linux:pulp-nodes-parent, p-cpe:/a:redhat:enterprise_linux:pulp-ostree, p-cpe:/a:redhat:enterprise_linux:pulp-ostree-admin-extensions, p-cpe:/a:redhat:enterprise_linux:pulp-ostree-plugins, p-cpe:/a:redhat:enterprise_linux:pulp-puppet, p-cpe:/a:redhat:enterprise_linux:pulp-puppet-admin-extensions, p-cpe:/a:redhat:enterprise_linux:pulp-puppet-plugins, p-cpe:/a:redhat:enterprise_linux:pulp-puppet-tools, p-cpe:/a:redhat:enterprise_linux:pulp-rpm, p-cpe:/a:redhat:enterprise_linux:pulp-rpm-admin-extensions, p-cpe:/a:redhat:enterprise_linux:pulp-rpm-plugins, p-cpe:/a:redhat:enterprise_linux:pulp-selinux, p-cpe:/a:redhat:enterprise_linux:pulp-server, p-cpe:/a:redhat:enterprise_linux:puppet-foreman_scap_client, p-cpe:/a:redhat:enterprise_linux:python-pulp-agent-lib, p-cpe:/a:redhat:enterprise_linux:python-pulp-bindings, p-cpe:/a:redhat:enterprise_linux:python-pulp-client-lib, p-cpe:/a:redhat:enterprise_linux:python-pulp-common, p-cpe:/a:redhat:enterprise_linux:python-pulp-docker-common, p-cpe:/a:redhat:enterprise_linux:python-pulp-oid_validation, p-cpe:/a:redhat:enterprise_linux:python-pulp-ostree-common, p-cpe:/a:redhat:enterprise_linux:python-pulp-puppet-common, p-cpe:/a:redhat:enterprise_linux:python-pulp-repoauth, p-cpe:/a:redhat:enterprise_linux:python-pulp-rpm-common, p-cpe:/a:redhat:enterprise_linux:python-pulp-streamer, p-cpe:/a:redhat:enterprise_linux:python-zope-interface, p-cpe:/a:redhat:enterprise_linux:redhat-access-insights-puppet, p-cpe:/a:redhat:enterprise_linux:rubygem-foreman_scap_client, p-cpe:/a:redhat:enterprise_linux:rubygem-kafo, p-cpe:/a:redhat:enterprise_linux:rubygem-kafo_parsers, p-cpe:/a:redhat:enterprise_linux:rubygem-kafo_wizards, p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_dhcp_remote_isc, p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_discovery, p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_discovery_image, p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_dynflow, p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_openscap, p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_pulp, p-cpe:/a:redhat:enterprise_linux:rubygem-smart_proxy_remote_execution_ssh, p-cpe:/a:redhat:enterprise_linux:rubygem-tilt, p-cpe:/a:redhat:enterprise_linux:satellite, p-cpe:/a:redhat:enterprise_linux:satellite-capsule, p-cpe:/a:redhat:enterprise_linux:satellite-cli, p-cpe:/a:redhat:enterprise_linux:satellite-common, p-cpe:/a:redhat:enterprise_linux:satellite-debug-tools, p-cpe:/a:redhat:enterprise_linux:satellite-installer, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-bastion, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman-redhat_access, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman-tasks, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman-tasks-core, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_bootdisk, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_discovery, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_docker, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_hooks, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_openscap, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_remote_execution, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_remote_execution_core, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_templates, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_theme_satellite, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_virt_who_configure, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_csv, p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 2/21/2018
Vulnerability Publication Date: 12/31/2013
Reference Information
CVE: CVE-2013-6459, CVE-2014-8183, CVE-2016-1669, CVE-2016-3693, CVE-2016-3696, CVE-2016-3704, CVE-2016-4451, CVE-2016-4995, CVE-2016-4996, CVE-2016-6319, CVE-2016-7077, CVE-2016-7078, CVE-2016-8613, CVE-2016-8634, CVE-2016-8639, CVE-2016-9593, CVE-2016-9595, CVE-2017-15699, CVE-2017-2295, CVE-2017-2667, CVE-2017-2672, CVE-2018-14623